Some Frequently Asked Questions (FAQ) about ISO and about ISO 37002:2021 (download as PDF)
ISO – GENERAL
Who is ISO and what is a Standard?
ISO is an independent, non-governmental international organization based in Geneva, Switzerland with a membership of 163 national standard bodies. It has developed and published over 20,000 international standards of which the most well-known are ISO 3166 – Country Codes, ISO-4217 – Currency Codes and, in the field of management systems, ISO 9001 – Quality Management.
- What is a Management System?
A management system is the way in which an organization manages the inter-related parts of its business in order to achieve its objectives. These objectives can relate to a number of different topics, including product or service quality, operational efficiency, environmental performance, health and safety in the workplace and many more.
- How are standards developed?
For information on how Standards are developed, please see.
- Where can I obtain copies of standards?
Standards can be purchased on-line from the ISO store.
Standards may also be purchased from national ISO member body.
- What is “certification”?
Certification is the provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements.
Certification can be a useful tool to add credibility, by demonstrating that your product or service meets the expectations of your customers and other stakeholders. For some industries, certification is a legal or contractual requirement.
- Does ISO certify organizations to its Standards?
ISO develops international standards, but does not perform certification and does not issue certifications. This is performed by certification bodies external to ISO, thus an organization cannot be certified by ISO. However, ISO’s Committee on Conformity Assessment (CASCO) has produced a number of standards related to the certification process, which are used by certification bodies.
ISO 37002 GENERAL
- What is ISO 37002?
ISO 37002 provides guidelines for implementing, managing, evaluating, maintaining and improving a robust and effective management system within an organization for whistleblowing.
Based on the principles of Trust, Impartiality and Protection, ISO 37002 is a Guidance Standard which was developed by ISO Technical Committee 309 Governance of Organizations.
- Why was ISO 37002 proposed and developed?
- Are there other ISO standards related to ISO 37002?
Yes. Some of the Standards related to ISO 37002 include:
- ISO 37001 Anti-bribery Management Systems – Requirements with Guidance for Use
- ISO 37301 Compliance Management Systems – Requirements with Guidance for Use
- ISO 31000 Risk Management - Principles and Guidelines
- Is compliance with ISO 37002 mandatory?
Generally, no. It is a voluntary standard that an organization can adopt, if desired. However, it is possible for compliance with the Standard to become a legal or contractual requirement for certain organizations or industries. Examples might include public procurement and supply chains.
- Does ISO 37002 define “whistleblowing”?
“Whistleblowing” is specifically defined by the various laws and regulations that are applicable to an organization. ISO 37002 generally defines whistleblowing as: Whistleblowing is the act of reporting suspected wrongdoing or risk of wrongdoing.
- Who can use ISO 37002?
ISO 37002 is flexible and can be adapted to a wide range of organizations, irrespective of size, sector, structure, geography, or jurisdiction. It is applicable to small, medium, and large organizations, as well as parts of an organization. In the private sector, ISO 37002 can be used by business enterprises as well as not-for-profit and non-governmental organizations. ISO 37002 can also be used in the public sector.
- How will the Standard benefit an organization?
The Standard provides minimum requirements and supporting guidance for implementing or benchmarking a whistleblowing management system. It is a management tool and brings assurance to management, investors, employees, customers and other stakeholders that an organization is taking reasonable steps to prevent, detect, and appropriately manage concerns about wrong-doing.
In the event of an investigation, the Standard may also be taken into account as evidence that an organization has taken reasonable, proactive steps to identify and mitigate wrong-doing as well as protecting whistleblowers and other stakeholders.
Implementation of the Standard can also provide an organization with a competitive advantage and increased stakeholder, shareholder, and customer trust.
- Does use of the Standard protect an organization against prosecution in case of whistleblowing retaliation by its personnel or its business associates?
Use of the Standard does not offer an absolute protection against the prosecution of the organization for retaliation occurring in its sphere of activity. It may, however, serve as evidence that the organization has put adequate measures in place to prevent retaliation, which may reduce or even exclude its liability.
- Does implementation of and conformity with ISO 37002 guarantee that retaliation will not occur?
No. ISO 37002 cannot provide assurance that retaliation has not or will not occur in an organization. It can help the organization to prevent, detect and respond to retaliation, and strengthen the whistleblowing culture.
- How is the Standard used?
Organizations may decide to use the Standard in a number of ways. For example:
- Guidance material to provide to potential or current stakeholders to assist in development of their anti-bribery management system or set expectations
- A benchmark to evaluate the:
- Organization’s existing whistleblowing management system
- Whistleblowing system of an organization already within an existing value chain
- Whistleblowing system of a new organization being considered for entry into an existing value chain
- Organization’s existing whistleblowing management system
- A blueprint to design a new whistleblowing system or improve an existing one
- A program to reference when reviewing, monitoring, or auditing a business associate
- A competitive advantage, once implemented, to differentiate an organization from its competitors
- A requirement as a condition to start or continue business with an organization.
- Is the standard sector specific?
- How will the implementation of ISO 37002 assist organizations?
- What are addressed in ISO 37002?
- receiving reports of wrongdoing;
- assessing reports of wrongdoing;
- addressing reports of wrongdoing;
- concluding whistleblowing cases.
- Does the Standard have to cover an entire organization?
No. The Standard may be used by an entire organization, such as e.g. a group of companies, but may also be used for parts of an organization, e.g., for only certain activities of an organization or for only one or more companies of a group of companies.
- Who in the organization is involved in ISO 37002 planning, implementation, management, and maintenance?
Everyone in the organization has roles and responsibilities related to the design, planning, implementation, management, and ongoing maintenance of an ISO 37002 whistleblowing Management System. For example, leadership is responsible for supporting the program by prohibiting retaliation and ensuring sufficient resources are allocated to implement the programme. Management is responsible for implementing and managing the programme. All employees are responsible for knowing, and complying with, the whistleblowing policy, completing training, and reporting actual or potential cases of non-compliance.
- How long will it take to implement the Standard?
The time needed to implement the Standard can vary greatly from one organization to another, depending on factors like size, structure, geographical spread, complexity, resources, subject matter expertise, etc. For a large organization, it is reasonable to allow for one year or two, while a small organization may implement the guidance in a matter of months.
Complying with the Standard is an on-going process, not a one-time event.
ISO 37002 – CERTIFICATION
- Can an organization be certified to ISO 37002?
No. ISO 37002 is a guidance standard, meaning that it provides guidance. It's not written with the intention of certification.