Some Frequently Asked Questions (FAQ) about ISO and about ISO 37002:2021 (download as PDF)




  1. Who is ISO and what is a Standard?

ISO is an independent, non-governmental international organization based in Geneva, Switzerland with a membership of 163 national standard bodies. It has developed and published over 20,000 international standards of which the most well-known are ISO 3166 – Country Codes, ISO-4217 – Currency Codes and, in the field of management systems, ISO 9001 – Quality Management. 

More information about ISO and its standards.


  1. What is a Management System?

management system is the way in which an organization manages the inter-related parts of its business in order to achieve its objectives. These objectives can relate to a number of different topics, including product or service quality, operational efficiency, environmental performance, health and safety in the workplace and many more.   


  1. How are standards developed?

For information on how Standards are developed, please see.


  1. Where can I obtain copies of standards?

Standards can be purchased on-line from the ISO store.

Standards may also be purchased from national ISO member body.


  1. What is “certification”?

Certification is the provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements.

Certification can be a useful tool to add credibility, by demonstrating that your product or service meets the expectations of your customers and other stakeholders. For some industries, certification is a legal or contractual requirement.


  1. Does ISO certify organizations to its Standards?

ISO develops international standards, but does not perform certification and does not issue certifications. This is performed by certification bodies external to ISO, thus an organization cannot be certified by ISO.  However, ISO’s Committee on Conformity Assessment (CASCO) has produced a number of standards related to the certification process, which are used by certification bodies.




  1. What is ISO 37002?

ISO 37002 provides guidelines for implementing, managing, evaluating, maintaining and improving a robust and effective management system within an organization for whistleblowing.

Based on the principles of Trust, Impartiality and Protection, ISO 37002 is a Guidance Standard which was developed by ISO Technical Committee 309 Governance of Organizations.  


  1. Why was ISO 37002 proposed and developed?

The whistleblowing landscape has changed significantly over the last years. High profile cases have prompted new whistleblower protection regulations and legislation across the globe. This resulted in organizations having had to re-evaluate the effectiveness of their internal reporting systems.

But even with the increased awareness about the necessity of identifying and addressing concerns internally many employees still prefer to report misconduct publicly or not to report at all. Possible reasons for this are that employees distrust their organizations to respond to their reports, uncertainty about whether the organization will take a report seriously, doubt that information will be treated in a confidential manner and fearing victimisation.  These are all real and valid concerns. To enable morally astute whistleblowers to act, organizations must put systems, processes, and policies in place that will assist them in this regard. ISO 37002 provides guidance to organizations to achieve the latter.


  1. Are there other ISO standards related to ISO 37002?

Yes.  Some of the Standards related to ISO 37002 include:


  1. Is compliance with ISO 37002 mandatory?

Generally, no.  It is a voluntary standard that an organization can adopt, if desired.  However, it is possible for compliance with the Standard to become a legal or contractual requirement for certain organizations or industries.  Examples might include public procurement and supply chains.


  1.  Does ISO 37002 define “whistleblowing”?

“Whistleblowing” is specifically defined by the various laws and regulations that are applicable to an organization.  ISO 37002 generally defines whistleblowing as: Whistleblowing is the act of reporting suspected wrongdoing or risk of wrongdoing.


  1. Who can use ISO 37002?

ISO 37002 is flexible and can be adapted to a wide range of organizations, irrespective of size, sector, structure, geography, or jurisdiction. It is applicable to small, medium, and large organizations, as well as parts of an organization. In the private sector, ISO 37002 can be used by business enterprises as well as not-for-profit and non-governmental organizations. ISO 37002 can also be used in the public sector.


  1.  How will the Standard benefit an organization?

The Standard provides minimum requirements and supporting guidance for implementing or benchmarking a whistleblowing management system. It is a management tool and brings assurance to management, investors, employees, customers and other stakeholders that an organization is taking reasonable steps to prevent, detect, and appropriately manage concerns about wrong-doing.

In the event of an investigation, the Standard may also be taken into account as evidence that an organization has taken reasonable, proactive steps to identify and mitigate wrong-doing as well as protecting whistleblowers and other stakeholders.

Implementation of the Standard can also provide an organization with a competitive advantage and increased stakeholder, shareholder, and customer trust. 


  1. Does use of the Standard protect an organization against prosecution in case of whistleblowing retaliation by its personnel or its business associates?

Use of the Standard does not offer an absolute protection against the prosecution of the organization for retaliation occurring in its sphere of activity. It may, however, serve as evidence that the organization has put adequate measures in place to prevent retaliation, which may reduce or even exclude its liability.



  1. Does implementation of and conformity with ISO 37002 guarantee that retaliation will not occur?

No.  ISO 37002 cannot provide assurance that retaliation has not or will not occur in an organization.  It can help the organization to prevent, detect and respond to retaliation, and strengthen the whistleblowing culture.



  1. How is the Standard used?

Organizations may decide to use the Standard in a number of ways. For example:

  • Guidance material to provide to potential or current stakeholders to assist in development of their anti-bribery management system or set expectations
  • A benchmark to evaluate the:
    • Organization’s existing whistleblowing management system
      • Whistleblowing system of an organization already within an existing value chain
      • Whistleblowing system of a new organization being considered for entry into an existing value chain
  • A blueprint to design a new whistleblowing system or improve an existing one
  • A program to reference when reviewing, monitoring, or auditing a business associate
  • A competitive advantage, once implemented, to differentiate an organization from its competitors
  • A requirement as a condition to start or continue business with an organization. 


  1. Is the standard sector specific?

37002 is non-sector specific and can be used by organizations of all sizes, including SMEs, and those with international operations. It will be applicable to all organizations in the public, private, and voluntary sectors.


  1. How will the implementation of ISO 37002 assist organizations?

ISO 37002 provides guidance for organizations to create a whistleblowing management system based on the principles of trust, impartiality and protection. If implemented effectively, organizations will benefit as follows:

  • the reporting of wrongdoing will be encouraged and facilitated;
  • whistleblowers, and other people involved, will be supported and protected;
  • reports of wrongdoing will be dealt with in a proper and timely manner;
  • the organizational culture, governance and the prevention of wrongdoing will be improved;
  • wrongdoing will be identified and addressed at the earliest opportunity;
  • loss of assets and aiding recovery of lost assets will be prevented or minimize;
  • compliance with organizational policies, procedures, and legal and social obligations will be ensured;
  • personnel committed to the organization’s values and culture will be attracted and retained;
  • organizations will demonstrate sound, ethical governance practices to society, markets, regulators, owners and other interested parties.


  1. What are addressed in ISO 37002?

ISO 37002 addresses the four pillars of a successful and responsive whistleblowing environment, namely:

  • receiving reports of wrongdoing;
  • assessing reports of wrongdoing;
  • addressing reports of wrongdoing;
  • concluding whistleblowing cases.

Such a system is essential to build trust in the organization and the organization’s commitment to ethical practices. Not only will such a system demonstrate leadership commitment to preventing and addressing wrongdoing, it will also encourage persons to report wrongdoing timeously, reduce and prevent unfavourable treatment and victimisation of whistleblowers and other involved parties, encourage a culture of transparency and accountability, and ‘make it okay’ for people to blow the whistle.


  1. Does the Standard have to cover an entire organization?

No. The Standard may be used by an entire organization, such as e.g. a group of companies, but may also be used for parts of an organization, e.g., for only certain activities of an organization or for only one or more companies of a group of companies. 


  1. Who in the organization is involved in ISO 37002 planning, implementation, management, and maintenance?

Everyone in the organization has roles and responsibilities related to the design, planning, implementation, management, and ongoing maintenance of an ISO 37002 whistleblowing Management System. For example, leadership is responsible for supporting the program by prohibiting retaliation and ensuring sufficient resources are allocated to implement the programme. Management is responsible for implementing and managing the programme. All employees are responsible for knowing, and complying with, the whistleblowing policy, completing training, and reporting actual or potential cases of non-compliance.


  1. How long will it take to implement the Standard?

The time needed to implement the Standard can vary greatly from one organization to another, depending on factors like size, structure, geographical spread, complexity, resources, subject matter expertise, etc. For a large organization, it is reasonable to allow for one year or two, while a small organization may implement the guidance in a matter of months.

Complying with the Standard is an on-going process, not a one-time event.




  1. Can an organization be certified to ISO 37002?

No. ISO 37002 is a guidance standard, meaning that it provides guidance. It's not written with the intention of certification.