European Union: ISO 37002 – Best Practices In Whistleblowing Management Systems

Last Updated: 15 August 2019
Article by Jan Stappers and Renaud Mousty
Most Read Contributor in Sweden, October 2019

Since 2018, an international group of experts has been working together to develop ISO 37002, a new global standard with best practices for developing and implementing an effective and responsive whistleblowing management system. WhistleB is part of this process. For more information about the background of ISO 37002, its scope and its added value for organisations around the globe, we recommend a recent article in The Association of Certified Fraud Examiners' Fraud Magazine, authored by WhistleB. In this blog post, we will answer some of the questions we are most commonly asked in relation to ISO 37002 – without getting into the details of the standard itself.

How does ISO 37002 complement the EU Whistleblower Protection Directive and other regulations?

With the approval of the EU Whistleblower Protection Directive, it is easy for many of us in the European Union to forget that ISO 37002 is in development and how important it is for organisations that want to implement a best practice whistleblowing management system. For that is what the ISO 37002 is about.

The EU Directive (and other national regulations) is a statement of what is required of both private and public organisations in Europe when it comes to whistleblower protection. It addresses obligations related to security, confidentiality, response times, skills of people receiving reports, data protection and more. What the ISO 37002 will provide, however, is practical guidance on the how. How can a forward-thinking organisation, anywhere in the world, that wants more transparency and recognises the important role of whistleblowers in preventing and detecting corporate wrongdoing, build an effective whistleblowing management system? That is the aim of ISO 37002.

What is WhistleB's role in ISO 37002 development?

WhistleB is proud to be a participant in WG3, the working group preparing the ISO 37002 standard. We see the drafting of the standard as an important responsibility that is in line with our mission: Whistleblowing made trustworthy, helping organisations foster a safe and more transparent work environment.

What is our role in ISO 37002 development then? In addition to years of compliance and ethics experience, WhistleB brings expertise in technology to the discussion. WhistleB was an early mover in using the latest technology to make whistleblowing management more effective and secure. While technology will never replace legal and investigative expertise and experience in whistleblowing management, it is a powerful complement that simplifies actions, streamlines processes and boosts efficiency and security.

Further, but certainly no less important, we have always been convinced that anonymity lies at the heart of getting greater value from a whistleblowing system (see the question on anonymity below). Secure, technology-based solutions make anonymous whistleblowing possible and remove some of the main barriers to blowing the whistle.

Our perspective on the added value of technology, both for the experts involved in the whistleblowing management process and for the whistleblower, is a large part of what we provide in the ISO 37002 development process.

Below are some of the impacts of technology in whistleblowing management:

1. Confidentiality or anonymity of the whistleblower. Secure technology protects the confidentiality of the whistleblower and can guarantee anonymity if the customer allows it (see the question below).

2. User-friendliness. Technology simplifies the initial reporting process for the whistleblower and thus removes some of the logistical barriers that might reduce the likelihood of a person blowing the whistle. First, digital channels can be made accessible through a user-friendly interface, from all sorts of devices, at all times of the day, and anywhere in the world. Consequently, whistleblowers do not have to be concerned about where, when and how they can raise an alert securely. Further, technology can seamlessly connect the whistleblower with the authorised person/team that has the mandate to manage the whistleblower's report, thus facilitating correct, sensitive, compliant and respectful management of the report. Finally, secure language translation software can greatly diminish language barriers.

3. Efficiency. For the whistleblowing team that receives the alerts, technology significantly reduces their day-to-day administrative burden. Everything from decisions about what needs to happen to the case, triage, assignment, a systematic audit trail, communication with a whistleblower, documentation of information, to effective investigations, handling of evidence and archiving can be improved through technology. The latency time for the handling of a report is thus significantly reduced and the process becomes more efficient when it is technology-enabled.

4. Transparency. Technology allows for more transparency and greater trust and confidence through defined processes, monitoring, feedback, access control, management and board reporting.

5. Legal compliance. With today's stricter data protection laws, such as the GDPR in the EU, technology can help to minimise compliance risks and prevent information disclosure. Interpretation of complex laws and regulations can be embedded and configured into best practices within digital whistleblowing management systems. Going back to ISO 37002, WhistleB's solutions are digital. The integrated communication channel and case management tool allow users to manage whistleblowing cases in an effective manner, in line with both applicable legal frameworks and international standards.

What is the difference between confidential and anonymous reporting?

This is a question we receive not solely related to ISO 37002, and it is worth considering in the context of best practice organisational whistleblowing management systems.

Confidential reporting is where the identity of a whistleblower is known by the person receiving the report, but it is kept confidential and should not be divulged without the consent of a whistleblower. Anonymous reporting is when the identity of the whistleblower is not known. The whistleblower may choose to divulge his or her identity later in the investigation process, once a trusted relationship has been established.

While we have come a long way, such as the EU Whistleblower Protection Directive requiring that the identity of a whistleblower be kept confidential, there is always a risk of a breach in confidentiality. For example, in some instances, state authorities have the right to seize confidential information for specific purposes. What happens if the whistleblower's identity is leaked in that process? And what happens when a person within an organisation with the wrong intentions but significant power demands to know who was behind a report of irregularities? These cases are not uncommon and have been the subject of media discussions in recent times. Further, the identity of a whistleblower can unintentionally be divulged as more people become involved in an investigation, or if those managing a case are not properly trained in ensuring identities remain confidential through descriptions and reporting.

Anonymous whistleblowing removes many of these issues. Most importantly though, customer cases have shown us the power of anonymity for encouraging people to dare to blow the whistle at all. Understandably, fear of retaliation stops people having the courage to speak up if they cannot remain anonymous. Consequently, organisational leaders remain unaware of wrongdoing as they do not receive the valuable, hard-to-get information that could help them correct misconduct at an early stage. This is why WhistleB advocates permitting anonymous whistleblower reporting if that is what a whistleblower prefers.

Linking back to the above question on technology, the need for anonymity is why we have built a secure system that technically allows a person to remain anonymous throughout the entire reporting, case management, investigation, closing and deletion process. Our system has in-built functionality that protects the anonymity of the whistleblower and allows secure and anonymous dialogue to take place between the whistleblower and the case management experts.

One of the ISO 37002 WG3 experts based in Australia, Dean Newlan of RightCall, who is also a partner to WhistleB, provides a valuable summary of the importance of choice and anonymity here:

"In modern business, there is an ever-growing range of communication channels. Some people will prefer one form of communication in a given context while others, in the same context, will reject it and insist on another from a range of alternatives. The modern world seems to be all about 'choice' and presenting the individual with more alternatives than they could ever use. This principle has particular application to misconduct reporting. In order for a business to build a robust and effective misconduct reporting system, it needs to offer employees and other eligible whistleblowers an extensive range of alternative ways of 'speaking up'. A platform such as WhistleB provides an important avenue for an organisation's workforce to report suspected wrongdoing. It is particularly important where someone wishing to report wrongdoing fears reprisal either by the organisation or by an individual connected with the organisation. WhistleB provides a convenient and secure communication channel for people who wish to speak up but who fear retribution and need to be assured that their anonymity is guaranteed before they do."

In the context of ISO 37002, the WG3 acknowledges the importance of creating a protective environment where people can confidently report concerns, as this is crucial to effectively preventing and dealing with wrongdoings.

Keep your eye on ISO 37002

Your organisation may be one of the many that are soon to become legally obliged to provide a confidential whistleblowing system. Or perhaps you may be in an organisation that is investigating whistleblowing management systems as a way to underpin your code of conduct and improve business ethics. Whichever category, it is well worth aiming for best practice in whistleblowing management, and thus keeping an eye on the development of ISO 37002. To understand more about the background to the standard, read WhistleB's earlier blog on ISO 37002.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions