Whistleblowing management systems - Guidelines

This document gives guidelines for establishing, implementing and maintaining an effective whistleblowing management system based on the principles of trust, impartiality and protection in the following four steps:
a) receiving reports of wrongdoing;
b) assessing reports of wrongdoing;
c) addressing reports of wrongdoing;
d) concluding whistleblowing cases.
The guidelines of this document are generic and intended to be applicable to all organizations, regardless of type, size, nature of activity, and whether in the public, private or not-for profit sectors.
The extent of application of these guidelines depends on the factors specified in 4.1, 4.2 and 4.3. The whistleblowing management system can be stand-alone or can be used as part of an overall management system.

Systèmes de management des alertes - Lignes directrices

Le présent document fournit des lignes directrices pour établir, mettre en œuvre et tenir à jour un système de management des alertes efficace, fondé sur les principes de confiance, d’impartialité et de protection et comprenant les quatre étapes suivantes:
a) réception des signalements d’actes répréhensibles;
b) évaluation des signalements d’actes répréhensibles;
c) traitement des signalements d’actes répréhensibles;
d) clôture des cas d’alertes.
Les lignes directrices du présent document sont génériques et destinées à s’appliquer à tous les organismes, indépendamment du type, de la taille et de la nature de l’activité, qu’ils évoluent dans le secteur public, privé ou à but non lucratif.
L’étendue de l’application de ces lignes directrices dépend des facteurs décrits en 4.1, 4.2 et 4.3. Le système de management des alertes peut être autonome ou peut être utilisé dans le cadre d’un système de management global.

Sistem vodenja prijavljanja nepravilnosti - Smernice

General Information

Status
Published
Publication Date
07-Nov-2021
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
24-Sep-2021
Due Date
29-Nov-2021
Completion Date
08-Nov-2021

Buy Standard

Standard
ISO 37002:2021
English language
40 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
Standard
ISO 37002:2021 - Whistleblowing management systems -- Guidelines
English language
33 pages
sale 15% off
Preview
sale 15% off
Preview
Standard
ISO 37002:2021 - Systèmes de management des alertes -- Lignes directrices
French language
35 pages
sale 15% off
Preview
sale 15% off
Preview
Standard
ISO 37002:2021 - Whistleblowing management systems -- Guidelines
Spanish language
35 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/FDIS 37002:Version 18-apr-2021 - Whistleblowing management systems -- Guidelines
English language
32 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

SLOVENSKI STANDARD
SIST ISO 37002:2021
01-december-2021
Sistem vodenja prijavljanja nepravilnosti - Smernice
Whistleblowing management systems - Guidelines
Systèmes de management des alertes - Lignes directrices
Ta slovenski standard je istoveten z: ISO 37002:2021
ICS:
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
03.100.02 Upravljanje in etika Governance and ethics
03.100.70 Sistemi vodenja Management systems
SIST ISO 37002:2021 en,fr
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST ISO 37002:2021

---------------------- Page: 2 ----------------------
SIST ISO 37002:2021
INTERNATIONAL ISO
STANDARD 37002
First edition
2021-07
Whistleblowing management
systems — Guidelines
Systèmes de management des alertes — Lignes directrices
Reference number
ISO 37002:2021(E)
©
ISO 2021

---------------------- Page: 3 ----------------------
SIST ISO 37002:2021
ISO 37002:2021(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved

---------------------- Page: 4 ----------------------
SIST ISO 37002:2021
ISO 37002:2021(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 7
4.1 Understanding the organization and its context . 7
4.2 Understanding the needs and expectations of interested parties . 8
4.3 Determining the scope of the whistleblowing management system . 8
4.4 Whistleblowing management system . 9
5 Leadership . 9
5.1 Leadership and commitment . 9
5.1.1 Governing body . 9
5.1.2 Top management .10
5.2 Whistleblowing policy .10
5.3 Roles, responsibilities and authorities .11
5.3.1 Top management and governing body . .11
5.3.2 Whistleblowing management function .12
5.3.3 Delegated decision-making .12
6 Planning .13
6.1 Actions to address risks and opportunities .13
6.2 Whistleblowing management system objectives and planning to achieve them .13
6.3 Planning of changes .14
7 Support .14
7.1 Resources .14
7.2 Competence .14
7.3 Awareness .15
7.3.1 General.15
7.3.2 Personnel training and awareness measures .15
7.3.3 Training for leaders and other specific roles .16
7.4 Communication .17
7.5 Documented information .18
7.5.1 General.18
7.5.2 Creating and updating documented information .18
7.5.3 Control of documented information .18
7.5.4 Data protection . .19
7.5.5 Confidentiality .19
8 Operation .20
8.1 Operational planning and control .20
8.2 Receiving reports of wrongdoing .22
8.3 Assessing reports of wrongdoing .23
8.3.1 Assessing the reported wrongdoing .23
8.3.2 Assessing and preventing risks of detrimental conduct .24
8.4 Addressing reports of wrongdoing.25
8.4.1 Addressing the reported wrongdoing .25
8.4.2 Protecting and supporting the whistleblower .26
8.4.3 Addressing detrimental conduct.26
8.4.4 Protecting the subject(s) of a report . .27
8.4.5 Protecting relevant interested parties .27
8.5 Concluding whistleblowing cases .27
9 Performance evaluation .28
© ISO 2021 – All rights reserved iii

---------------------- Page: 5 ----------------------
SIST ISO 37002:2021
ISO 37002:2021(E)

9.1 Monitoring, measurement, analysis and evaluation .28
9.1.1 General.28
9.1.2 Indicators for evaluation .28
9.1.3 Information sources .29
9.2 Internal audit .30
9.2.1 General.30
9.2.2 Internal audit programme .30
9.3 Management review .30
9.3.1 General.30
9.3.2 Management review inputs .30
9.3.3 Management review results .31
10 Improvement .31
10.1 Continual improvement .31
10.2 Nonconformity and corrective action .31
Bibliography .33
iv © ISO 2021 – All rights reserved

---------------------- Page: 6 ----------------------
SIST ISO 37002:2021
ISO 37002:2021(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO 2021 – All rights reserved v

---------------------- Page: 7 ----------------------
SIST ISO 37002:2021
ISO 37002:2021(E)

Introduction
Whistleblowing is the act of reporting suspected wrongdoing or risk of wrongdoing. Studies and
experience demonstrate that a large proportion of wrongdoing comes to the attention of the affected
organization via reports from persons within or close to the organization.
Organizations are increasingly considering introducing or improving internal whistleblowing policies
and processes in response to regulation or on a voluntary basis.
This document provides guidance to organizations for establishing, implementing, maintaining and
improving a whistleblowing management system, with the following outcomes:
a) encouraging and facilitating reporting of wrongdoing;
b) supporting and protecting whistleblowers and other interested parties involved;
c) ensuring reports of wrongdoing are dealt with in a proper and timely manner;
d) improving organizational culture and governance;
e) reducing the risks of wrongdoing.
Potential benefits for the organization include:
— allowing the organization to identify and address wrongdoing at the earliest opportunity;
— helping prevent or minimize loss of assets and aiding recovery of lost assets;
— ensuring compliance with organizational policies, procedures, and legal and social obligations;
— attracting and retaining personnel committed to the organization’s values and culture;
— demonstrating sound, ethical governance practices to society, markets, regulators, owners and
other interested parties.
An effective whistleblowing management system will build organizational trust by:
— demonstrating leadership commitment to preventing and addressing wrongdoing;
— encouraging people to come forward early with reports of wrongdoing;
— reducing and preventing detrimental treatment of whistleblowers and others involved;
— encouraging a culture of openness, transparency, integrity and accountability.
This document provides guidance for organizations to create a whistleblowing management system
based on the principles of trust, impartiality and protection. It is adaptable, and its use will vary with the
size, nature, complexity and jurisdiction of the organization’s activities. It can assist an organization to
improve its existing whistleblowing policy and procedures, or to comply with applicable whistleblowing
legislation.
This document adopts the “harmonized structure” (i.e. clause sequence, common text and common
terminology) developed by ISO to improve alignment among International Standards for management
systems. Organizations may adopt this document as stand-alone guidance for their organization or along
with other management system standards, including to address whistleblowing-related requirements
in other ISO management systems.
Figure 1 is a conceptual overview of a recommended whistleblowing management system showing how
the principles of trust, impartiality and protection overlay all elements of such a system.
vi © ISO 2021 – All rights reserved

---------------------- Page: 8 ----------------------
SIST ISO 37002:2021
ISO 37002:2021(E)

Figure 1 — Overview of a whistleblowing management system
© ISO 2021 – All rights reserved vii

---------------------- Page: 9 ----------------------
SIST ISO 37002:2021

---------------------- Page: 10 ----------------------
SIST ISO 37002:2021
INTERNATIONAL STANDARD ISO 37002:2021(E)
Whistleblowing management systems — Guidelines
1 Scope
This document gives guidelines for establishing, implementing and maintaining an effective
whistleblowing management system based on the principles of trust, impartiality and protection in the
following four steps:
a) receiving reports of wrongdoing;
b) assessing reports of wrongdoing;
c) addressing reports of wrongdoing;
d) concluding whistleblowing cases.
The guidelines of this document are generic and intended to be applicable to all organizations,
regardless of type, size, nature of activity, and whether in the public, private or not-for profit sectors.
The extent of application of these guidelines depends on the factors specified in 4.1, 4.2 and 4.3. The
whistleblowing management system can be stand-alone or can be used as part of an overall management
system.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
management system
set of interrelated or interacting elements of an organization (3.2) to establish policies (3.7) and
objectives (3.25), as well as processes (3.27) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities,
planning and operation.
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
© ISO 2021 – All rights reserved 1

---------------------- Page: 11 ----------------------
SIST ISO 37002:2021
ISO 37002:2021(E)

3.2
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives (3.25)
Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated
or not, public or private.
Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the
larger entity that is within the scope of the whistleblowing (3.10) management system (3.1).
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.3
personnel
organization’s (3.2) directors, officers, employees, temporary staff or workers, and volunteers
[SOURCE: ISO 37001:2016, 3.25, modified — Notes 1 and 2 to entry have been deleted.]
3.4
interested party (preferred term)
stakeholder (admitted term)
person or organization (3.2) that can affect, be affected by, or perceive itself to be affected by a decision
or activity
Note 1 to entry: An interested party can be internal or external to the organization.
Note 2 to entry: Interested parties can include, but are not limited to, those who make reports, any subjects
of those reports, witnesses, personnel (3.3), worker representatives, suppliers, third parties, public, media,
regulators and the organization as a whole.
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards. The original definition has been modified by adding Notes 1 and 2 to entry.
3.5
top management
person or group of people who directs and controls an organization (3.2) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the
organization.
Note 2 to entry: If the scope of the management system (3.1) covers only part of an organization, then top
management refers to those who direct and control that part of the organization.
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.6
governing body
person or group of people who have ultimate accountability (3.30) for the whole organization (3.2)
Note 1 to entry: Every organizational entity has one governing body, whether or not it is explicitly established.
Note 2 to entry: A governing body can include, but is not limited to, a board of directors, committees of the board,
a supervisory board or trustees.
[SOURCE: ISO/IEC 38500:2015, 2.9, modified — The words “have ultimate accountability for” have
replaced “accountable for the performance and conformance of” and Notes 1 and 2 to entry have been
added.]
2 © ISO 2021 – All rights reserved

---------------------- Page: 12 ----------------------
SIST ISO 37002:2021
ISO 37002:2021(E)

3.7
policy
intentions and direction of an organization (3.2) as formally expressed by its top management (3.5)
Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.8
wrongdoing
action(s) or omission(s) that can cause harm
Note 1 to entry: Wrongdoing can include, but is not limited to, the following:
— breach of law (national or international), such as fraud, corruption including bribery;
— breach of the organization’s (3.2) or other relevant code of conduct, breach of organization policies (3.7);
— gross negligence, bullying, harassment, discrimination, unauthorized use of funds or resources, abuse of
authority, conflict of interest, gross waste or mismanagement;
— actions or omissions resulting in damage or risk of harm to human rights, the environment, public health and
safety, safe work-practices or the public interest.
Note 2 to entry: Wrongdoing or the resulting harm can have happened in the past, is currently happening or can
happen in the future.
Note 3 to entry: Potential harm can be determined by reference to a single event or series of events.
3.9
whistleblower
person who reports suspected or actual wrongdoing (3.8), and has reasonable belief that the information
is true at the time of reporting
Note 1 to entry: Reasonable belief is a belief held by an individual based on observation, experience or information
known to that individual, which would also be held by a person in the same circumstances.
Note 2 to entry: Examples of whistleblowers include, but are not limited to, the following:
— personnel (3.3) within an organization (3.2);
— personnel within external parties, including legal persons, with whom the organization has established, or
plans to establish, some form of business relationship including, but not limited to, clients, customers, joint
ventures, joint venture partners, consortium partners, outsourcing providers, contractors, consultants, sub-
contractors, suppliers, vendors, advisors, agents, distributors, representatives, intermediaries and investors;
— other persons such as union representatives;
— any person formerly or prospectively in a position set out in this definition.
3.10
whistleblowing
reporting of suspected or actual wrongdoing (3.8) by a whistleblower (3.9)
Note 1 to entry: A report of wrongdoing can be verbal, in person, in writing or in an electronic or digital format.
Note 2 to entry: It is common to distinguish:
— open whistleblowing, where the whistleblower discloses information without withholding their identity or
requiring that their identity be kept secret;
— confidential whistleblowing, where the identity of the whistleblower and any information that can identify
them is known by the recipient but is not disclosed to anyone beyond a need to know basis without the
whistleblower’s consent, unless required by law;
— anonymous whistleblowing, where information is received without the whistleblower disclosing their
identity.
© ISO 2021 – All rights reserved 3

---------------------- Page: 13 ----------------------
SIST ISO 37002:2021
ISO 37002:2021(E)

Note 3 to entry: Organizations (3.2) can use an alternative term such as “speak up” or “raise a concern”, or an
equivalent.
3.11
whistleblowing management function
person(s) with the responsibility and authority for the operation of the whistleblowing (3.10)
management system (3.1)
3.12
triage
assessment of the initial report of wrongdoing (3.8) for the purposes of categorization, taking
preliminary measures, prioritization and assignment for further handling
Note 1 to entry: The following factors can be considered: likelihood and severity of impact of wrongdoing or
suspected wrongdoing on the personnel (3.3), organization (3.2) and interested party (3.4), including reputational,
financial, environmental, human or other damages.
3.13
detrimental conduct
threatened, proposed or actual, direct or indirect act or omission that can result in harm to a
whistleblower (3.9) or other relevant interested party (3.4), related to whistleblowing (3.10)
Note 1 to entry: Harm includes any adverse consequence, whether work-related or personal, including, but not
limited to, dismissal, suspension, demotion, transfer, change in duties, alteration of working conditions, adverse
performance (3.26) ratings, disciplinary proceedings, reduced opportunity for advancement, denial of services,
blacklisting, boycotting, damage to reputation, disclosing the whistleblower’s identity, financial loss, prosecution
or legal action, harassment, isolation, imposition of any form of physical or psychological harm.
Note 2 to entry: Detrimental conduct includes retaliation, reprisal, retribution, deliberate action or omissions,
done knowingly or recklessly to cause harm to a whistleblower or other relevant parties.
Note 3 to entry: Detrimental conduct also includes the failure to prevent or to minimize harm by fulfilling a
reasonable standard of care at any step of the whistleblowing process (3.27).
Note 4 to entry: Action to deal with a whistleblower’s own wrongdoing (3.8), performance or management,
unrelated to their role in whistleblowing, is not detrimental conduct for the purposes of this document.
Note 5 to entry: Other relevant interested parties can include prospective or perceived whistl
...

INTERNATIONAL ISO
STANDARD 37002
First edition
2021-07
Whistleblowing management
systems — Guidelines
Systèmes de management des alertes — Lignes directrices
Reference number
ISO 37002:2021(E)
©
ISO 2021

---------------------- Page: 1 ----------------------
ISO 37002:2021(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved

---------------------- Page: 2 ----------------------
ISO 37002:2021(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 7
4.1 Understanding the organization and its context . 7
4.2 Understanding the needs and expectations of interested parties . 8
4.3 Determining the scope of the whistleblowing management system . 8
4.4 Whistleblowing management system . 9
5 Leadership . 9
5.1 Leadership and commitment . 9
5.1.1 Governing body . 9
5.1.2 Top management .10
5.2 Whistleblowing policy .10
5.3 Roles, responsibilities and authorities .11
5.3.1 Top management and governing body . .11
5.3.2 Whistleblowing management function .12
5.3.3 Delegated decision-making .12
6 Planning .13
6.1 Actions to address risks and opportunities .13
6.2 Whistleblowing management system objectives and planning to achieve them .13
6.3 Planning of changes .14
7 Support .14
7.1 Resources .14
7.2 Competence .14
7.3 Awareness .15
7.3.1 General.15
7.3.2 Personnel training and awareness measures .15
7.3.3 Training for leaders and other specific roles .16
7.4 Communication .17
7.5 Documented information .18
7.5.1 General.18
7.5.2 Creating and updating documented information .18
7.5.3 Control of documented information .18
7.5.4 Data protection . .19
7.5.5 Confidentiality .19
8 Operation .20
8.1 Operational planning and control .20
8.2 Receiving reports of wrongdoing .22
8.3 Assessing reports of wrongdoing .23
8.3.1 Assessing the reported wrongdoing .23
8.3.2 Assessing and preventing risks of detrimental conduct .24
8.4 Addressing reports of wrongdoing.25
8.4.1 Addressing the reported wrongdoing .25
8.4.2 Protecting and supporting the whistleblower .26
8.4.3 Addressing detrimental conduct.26
8.4.4 Protecting the subject(s) of a report . .27
8.4.5 Protecting relevant interested parties .27
8.5 Concluding whistleblowing cases .27
9 Performance evaluation .28
© ISO 2021 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO 37002:2021(E)

9.1 Monitoring, measurement, analysis and evaluation .28
9.1.1 General.28
9.1.2 Indicators for evaluation .28
9.1.3 Information sources .29
9.2 Internal audit .30
9.2.1 General.30
9.2.2 Internal audit programme .30
9.3 Management review .30
9.3.1 General.30
9.3.2 Management review inputs .30
9.3.3 Management review results .31
10 Improvement .31
10.1 Continual improvement .31
10.2 Nonconformity and corrective action .31
Bibliography .33
iv © ISO 2021 – All rights reserved

---------------------- Page: 4 ----------------------
ISO 37002:2021(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO 2021 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO 37002:2021(E)

Introduction
Whistleblowing is the act of reporting suspected wrongdoing or risk of wrongdoing. Studies and
experience demonstrate that a large proportion of wrongdoing comes to the attention of the affected
organization via reports from persons within or close to the organization.
Organizations are increasingly considering introducing or improving internal whistleblowing policies
and processes in response to regulation or on a voluntary basis.
This document provides guidance to organizations for establishing, implementing, maintaining and
improving a whistleblowing management system, with the following outcomes:
a) encouraging and facilitating reporting of wrongdoing;
b) supporting and protecting whistleblowers and other interested parties involved;
c) ensuring reports of wrongdoing are dealt with in a proper and timely manner;
d) improving organizational culture and governance;
e) reducing the risks of wrongdoing.
Potential benefits for the organization include:
— allowing the organization to identify and address wrongdoing at the earliest opportunity;
— helping prevent or minimize loss of assets and aiding recovery of lost assets;
— ensuring compliance with organizational policies, procedures, and legal and social obligations;
— attracting and retaining personnel committed to the organization’s values and culture;
— demonstrating sound, ethical governance practices to society, markets, regulators, owners and
other interested parties.
An effective whistleblowing management system will build organizational trust by:
— demonstrating leadership commitment to preventing and addressing wrongdoing;
— encouraging people to come forward early with reports of wrongdoing;
— reducing and preventing detrimental treatment of whistleblowers and others involved;
— encouraging a culture of openness, transparency, integrity and accountability.
This document provides guidance for organizations to create a whistleblowing management system
based on the principles of trust, impartiality and protection. It is adaptable, and its use will vary with the
size, nature, complexity and jurisdiction of the organization’s activities. It can assist an organization to
improve its existing whistleblowing policy and procedures, or to comply with applicable whistleblowing
legislation.
This document adopts the “harmonized structure” (i.e. clause sequence, common text and common
terminology) developed by ISO to improve alignment among International Standards for management
systems. Organizations may adopt this document as stand-alone guidance for their organization or along
with other management system standards, including to address whistleblowing-related requirements
in other ISO management systems.
Figure 1 is a conceptual overview of a recommended whistleblowing management system showing how
the principles of trust, impartiality and protection overlay all elements of such a system.
vi © ISO 2021 – All rights reserved

---------------------- Page: 6 ----------------------
ISO 37002:2021(E)

Figure 1 — Overview of a whistleblowing management system
© ISO 2021 – All rights reserved vii

---------------------- Page: 7 ----------------------
INTERNATIONAL STANDARD ISO 37002:2021(E)
Whistleblowing management systems — Guidelines
1 Scope
This document gives guidelines for establishing, implementing and maintaining an effective
whistleblowing management system based on the principles of trust, impartiality and protection in the
following four steps:
a) receiving reports of wrongdoing;
b) assessing reports of wrongdoing;
c) addressing reports of wrongdoing;
d) concluding whistleblowing cases.
The guidelines of this document are generic and intended to be applicable to all organizations,
regardless of type, size, nature of activity, and whether in the public, private or not-for profit sectors.
The extent of application of these guidelines depends on the factors specified in 4.1, 4.2 and 4.3. The
whistleblowing management system can be stand-alone or can be used as part of an overall management
system.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
management system
set of interrelated or interacting elements of an organization (3.2) to establish policies (3.7) and
objectives (3.25), as well as processes (3.27) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities,
planning and operation.
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
© ISO 2021 – All rights reserved 1

---------------------- Page: 8 ----------------------
ISO 37002:2021(E)

3.2
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives (3.25)
Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated
or not, public or private.
Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the
larger entity that is within the scope of the whistleblowing (3.10) management system (3.1).
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.3
personnel
organization’s (3.2) directors, officers, employees, temporary staff or workers, and volunteers
[SOURCE: ISO 37001:2016, 3.25, modified — Notes 1 and 2 to entry have been deleted.]
3.4
interested party (preferred term)
stakeholder (admitted term)
person or organization (3.2) that can affect, be affected by, or perceive itself to be affected by a decision
or activity
Note 1 to entry: An interested party can be internal or external to the organization.
Note 2 to entry: Interested parties can include, but are not limited to, those who make reports, any subjects
of those reports, witnesses, personnel (3.3), worker representatives, suppliers, third parties, public, media,
regulators and the organization as a whole.
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards. The original definition has been modified by adding Notes 1 and 2 to entry.
3.5
top management
person or group of people who directs and controls an organization (3.2) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the
organization.
Note 2 to entry: If the scope of the management system (3.1) covers only part of an organization, then top
management refers to those who direct and control that part of the organization.
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.6
governing body
person or group of people who have ultimate accountability (3.30) for the whole organization (3.2)
Note 1 to entry: Every organizational entity has one governing body, whether or not it is explicitly established.
Note 2 to entry: A governing body can include, but is not limited to, a board of directors, committees of the board,
a supervisory board or trustees.
[SOURCE: ISO/IEC 38500:2015, 2.9, modified — The words “have ultimate accountability for” have
replaced “accountable for the performance and conformance of” and Notes 1 and 2 to entry have been
added.]
2 © ISO 2021 – All rights reserved

---------------------- Page: 9 ----------------------
ISO 37002:2021(E)

3.7
policy
intentions and direction of an organization (3.2) as formally expressed by its top management (3.5)
Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.8
wrongdoing
action(s) or omission(s) that can cause harm
Note 1 to entry: Wrongdoing can include, but is not limited to, the following:
— breach of law (national or international), such as fraud, corruption including bribery;
— breach of the organization’s (3.2) or other relevant code of conduct, breach of organization policies (3.7);
— gross negligence, bullying, harassment, discrimination, unauthorized use of funds or resources, abuse of
authority, conflict of interest, gross waste or mismanagement;
— actions or omissions resulting in damage or risk of harm to human rights, the environment, public health and
safety, safe work-practices or the public interest.
Note 2 to entry: Wrongdoing or the resulting harm can have happened in the past, is currently happening or can
happen in the future.
Note 3 to entry: Potential harm can be determined by reference to a single event or series of events.
3.9
whistleblower
person who reports suspected or actual wrongdoing (3.8), and has reasonable belief that the information
is true at the time of reporting
Note 1 to entry: Reasonable belief is a belief held by an individual based on observation, experience or information
known to that individual, which would also be held by a person in the same circumstances.
Note 2 to entry: Examples of whistleblowers include, but are not limited to, the following:
— personnel (3.3) within an organization (3.2);
— personnel within external parties, including legal persons, with whom the organization has established, or
plans to establish, some form of business relationship including, but not limited to, clients, customers, joint
ventures, joint venture partners, consortium partners, outsourcing providers, contractors, consultants, sub-
contractors, suppliers, vendors, advisors, agents, distributors, representatives, intermediaries and investors;
— other persons such as union representatives;
— any person formerly or prospectively in a position set out in this definition.
3.10
whistleblowing
reporting of suspected or actual wrongdoing (3.8) by a whistleblower (3.9)
Note 1 to entry: A report of wrongdoing can be verbal, in person, in writing or in an electronic or digital format.
Note 2 to entry: It is common to distinguish:
— open whistleblowing, where the whistleblower discloses information without withholding their identity or
requiring that their identity be kept secret;
— confidential whistleblowing, where the identity of the whistleblower and any information that can identify
them is known by the recipient but is not disclosed to anyone beyond a need to know basis without the
whistleblower’s consent, unless required by law;
— anonymous whistleblowing, where information is received without the whistleblower disclosing their
identity.
© ISO 2021 – All rights reserved 3

---------------------- Page: 10 ----------------------
ISO 37002:2021(E)

Note 3 to entry: Organizations (3.2) can use an alternative term such as “speak up” or “raise a concern”, or an
equivalent.
3.11
whistleblowing management function
person(s) with the responsibility and authority for the operation of the whistleblowing (3.10)
management system (3.1)
3.12
triage
assessment of the initial report of wrongdoing (3.8) for the purposes of categorization, taking
preliminary measures, prioritization and assignment for further handling
Note 1 to entry: The following factors can be considered: likelihood and severity of impact of wrongdoing or
suspected wrongdoing on the personnel (3.3), organization (3.2) and interested party (3.4), including reputational,
financial, environmental, human or other damages.
3.13
detrimental conduct
threatened, proposed or actual, direct or indirect act or omission that can result in harm to a
whistleblower (3.9) or other relevant interested party (3.4), related to whistleblowing (3.10)
Note 1 to entry: Harm includes any adverse consequence, whether work-related or personal, including, but not
limited to, dismissal, suspension, demotion, transfer, change in duties, alteration of working conditions, adverse
performance (3.26) ratings, disciplinary proceedings, reduced opportunity for advancement, denial of services,
blacklisting, boycotting, damage to reputation, disclosing the whistleblower’s identity, financial loss, prosecution
or legal action, harassment, isolation, imposition of any form of physical or psychological harm.
Note 2 to entry: Detrimental conduct includes retaliation, reprisal, retribution, deliberate action or omissions,
done knowingly or recklessly to cause harm to a whistleblower or other relevant parties.
Note 3 to entry: Detrimental conduct also includes the failure to prevent or to minimize harm by fulfilling a
reasonable standard of care at any step of the whistleblowing process (3.27).
Note 4 to entry: Action to deal with a whistleblower’s own wrongdoing (3.8), performance or management,
unrelated to their role in whistleblowing, is not detrimental conduct for the purposes of this document.
Note 5 to entry: Other relevant interested parties can include prospective or perceived whistleblowers, relatives,
associates of a whistleblower, persons who have provided support to a whistleblower, and any person involved in
a whistleblowing process, including a legal entity.
3.14
investigation
systematic, independent and documented process (3.27) for establishing facts and evaluating them
objectively to determine if wrongdoing (3.8) has occurred, is occurring or is likely to occur, and its
extent
Note 1 to entry: An investigation can be an internal investigation or an external investigation. It can be a
combined investigation.
Note 2 to entry: An internal investigation is conducted by the organization (3.2) itself, or by an external party on
its behalf.
Note 3 to entry: An investigation can also be imposed on the organization by external parties.
3.15
audit
systematic and independent process (3.27) for obtaining evidence and evaluating it objectively to
determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second p
...

NORME ISO
INTERNATIONALE 37002
Première édition
2021-07
Systèmes de management des
alertes — Lignes directrices
Whistleblowing management systems — Guidelines
Numéro de référence
ISO 37002:2021(F)
©
ISO 2021

---------------------- Page: 1 ----------------------
ISO 37002:2021(F)

DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO 2021
Tous droits réservés. Sauf prescription différente ou nécessité dans le contexte de sa mise en œuvre, aucune partie de cette
publication ne peut être reproduite ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique,
y compris la photocopie, ou la diffusion sur l’internet ou sur un intranet, sans autorisation écrite préalable. Une autorisation peut
être demandée à l’ISO à l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Case postale 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Genève
Tél.: +41 22 749 01 11
E-mail: copyright@iso.org
Web: www.iso.org
Publié en Suisse
ii © ISO 2021 – Tous droits réservés

---------------------- Page: 2 ----------------------
ISO 37002:2021(F)

Sommaire Page
Avant-propos .v
Introduction .vi
1 Domaine d’application . 1
2 Références normatives . 1
3 Termes et définitions . 1
4 Contexte de l’organisme . 7
4.1 Compréhension de l’organisme et de son contexte . 7
4.2 Compréhension des besoins et attentes des parties intéressées . 8
4.3 Détermination du périmètre d’application du système de management des alertes . 8
4.4 Système de management des alertes . 9
5 Leadership .10
5.1 Leadership et engagement.10
5.1.1 Organe de gouvernance .10
5.1.2 Direction.10
5.2 Politique d’alerte .11
5.3 Rôles, responsabilités et autorités au sein de l’organisme .12
5.3.1 Direction et organe de gouvernance .12
5.3.2 Fonction de management des alertes .12
5.3.3 Délégation de la prise de décision .13
6 Planification .13
6.1 Actions à mettre en œuvre face aux risques et opportunités .13
6.2 Objectifs du système de management des alertes et planification des actions pour
les atteindre .14
6.3 Planification des changements .15
7 Soutien .15
7.1 Ressources .15
7.2 Compétences .15
7.3 Sensibilisation .16
7.3.1 Généralités .16
7.3.2 Formation et mesures de sensibilisation du personnel .16
7.3.3 Formation pour les dirigeants et autres rôles spécifiques .17
7.4 Communication .18
7.5 Informations documentées .19
7.5.1 Généralités .19
7.5.2 Création et mise à jour des informations documentées .19
7.5.3 Maîtrise des informations documentées .19
7.5.4 Protection des données .20
7.5.5 Confidentialité .20
8 Réalisation des activités opérationnelles .21
8.1 Planification et maîtrise opérationnelles .21
8.2 Réception des signalements d’actes répréhensibles .24
8.3 Évaluation des signalements d’actes répréhensibles .25
8.3.1 Évaluation de l’acte répréhensible signalé .25
8.3.2 Évaluation et prévention des risques de mesures de représailles .26
8.4 Traitement des signalements d’actes répréhensibles .27
8.4.1 Traitement de l’acte répréhensible signalé .27
8.4.2 Protection et soutien du lanceur d’alerte .28
8.4.3 Traitement des mesures de représailles .28
8.4.4 Protection de la ou des personnes faisant l’objet d’un signalement .29
8.4.5 Protection des parties intéressées concernées .29
8.5 Clôture des cas d’alertes .29
© ISO 2021 – Tous droits réservés iii

---------------------- Page: 3 ----------------------
ISO 37002:2021(F)

9 Évaluation des performances .30
9.1 Surveillance, mesure, analyse et évaluation .30
9.1.1 Généralités .30
9.1.2 Indicateurs d’évaluation .31
9.1.3 Sources d’information .31
9.2 Audit interne .32
9.2.1 Généralités .32
9.2.2 Programme d’audit interne .32
9.3 Revue de direction .33
9.3.1 Généralités .33
9.3.2 Entrées de la revue de direction .33
9.3.3 Résultats de la revue de direction .33
10 Amélioration .33
10.1 Amélioration continue .33
10.2 Non-conformité et actions correctives .34
Bibliographie .35
iv © ISO 2021 – Tous droits réservés

---------------------- Page: 4 ----------------------
ISO 37002:2021(F)

Avant-propos
L’ISO (Organisation internationale de normalisation) est une fédération mondiale d’organismes
nationaux de normalisation (comités membres de l’ISO). L’élaboration des Normes internationales est
en général confiée aux comités techniques de l’ISO. Chaque comité membre intéressé par une étude
a le droit de faire partie du comité technique créé à cet effet. Les organisations internationales,
gouvernementales et non gouvernementales, en liaison avec l’ISO participent également aux travaux.
L’ISO collabore étroitement avec la Commission électrotechnique internationale (IEC) en ce qui
concerne la normalisation électrotechnique.
Les procédures utilisées pour élaborer le présent document et celles destinées à sa mise à jour sont
décrites dans les Directives ISO/IEC, Partie 1. Il convient, en particulier, de prendre note des différents
critères d’approbation requis pour les différents types de documents ISO. Le présent document a été
rédigé conformément aux règles de rédaction données dans les Directives ISO/IEC, Partie 2 (voir www
.iso .org/ directives).
L’attention est attirée sur le fait que certains des éléments du présent document peuvent faire l’objet de
droits de propriété intellectuelle ou de droits analogues. L’ISO ne saurait être tenue pour responsable
de ne pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails concernant
les références aux droits de propriété intellectuelle ou autres droits analogues identifiés lors de
l’élaboration du document sont indiqués dans l’Introduction et/ou dans la liste des déclarations de
brevets reçues par l’ISO (voir www .iso .org/ brevets).
Les appellations commerciales éventuellement mentionnées dans le présent document sont données
pour information, par souci de commodité, à l’intention des utilisateurs et ne sauraient constituer un
engagement.
Pour une explication de la nature volontaire des normes, la signification des termes et expressions
spécifiques de l’ISO liés à l’évaluation de la conformité, ou pour toute information au sujet de l’adhésion
de l’ISO aux principes de l’Organisation mondiale du commerce (OMC) concernant les obstacles
techniques au commerce (OTC), voir www .iso .org/ avant -propos.
Le présent document a été élaboré par le comité technique ISO/TC 309, Gouvernance des organisations.
Il convient que l’utilisateur adresse tout retour d’information ou toute question concernant le présent
document à l’organisme national de normalisation de son pays. Une liste exhaustive desdits organismes
se trouve à l’adresse www .iso .org/ fr/ members .html.
© ISO 2021 – Tous droits réservés v

---------------------- Page: 5 ----------------------
ISO 37002:2021(F)

Introduction
L’alerte est l’acte qui consiste à signaler un acte répréhensible présumé ou un risque d’acte
répréhensible. Les études et l’expérience montrent qu’une grande partie des actes répréhensibles est
portée à l’attention de l’organisme concerné par le biais de signalements émanant de personnes au sein
ou proches de l’organisme.
Les organismes envisagent de plus en plus de mettre en place ou d’améliorer des politiques et des
processus d’alerte internes en réponse à la réglementation ou sur la base du volontariat.
Le présent document fournit des recommandations aux organismes pour établir, mettre en œuvre, tenir
à jour et améliorer un système de management des alertes, avec les résultats suivants:
a) encourager et faciliter le signalement des actes répréhensibles;
b) soutenir et protéger les lanceurs d’alerte et les autres parties intéressées impliquées;
c) veiller à ce que les signalements d’actes répréhensibles soient traités de manière appropriée et dans
les meilleurs délais;
d) améliorer la culture de l’organisme et la gouvernance;
e) réduire les risques d’actes répréhensibles.
Les avantages potentiels pour l’organisme sont notamment les suivants:
— permettre à l’organisme d’identifier et de traiter les actes répréhensibles le plus tôt possible;
— aider à prévenir ou à réduire le plus possible la perte d’actifs et faciliter la récupération des actifs
perdus;
— assurer le respect des politiques et procédures de l’organisme, ainsi que des obligations légales et
sociales;
— attirer et retenir le personnel attaché aux valeurs et à la culture de l’organisme;
— faire la démonstration de pratiques de gouvernance saines et éthiques à la société, aux marchés, aux
organismes de réglementation et de contrôle aux propriétaires et aux autres parties intéressées.
Un système efficace de management des alertes permet d’instaurer la confiance au sein de l’organisme
en:
— démontrant l’engagement des dirigeants à prévenir et à traiter les actes répréhensibles;
— encourageant tout un chacun à se manifester sans tarder pour signaler les actes répréhensibles;
— réduisant et prévenant les préjudices subis par les lanceurs d’alerte et les autres personnes
impliquées;
— favorisant une culture d’ouverture, de transparence, d’intégrité et de redevabilité.
Le présent document fournit des recommandations aux organismes pour créer un système de
management des alertes, fondé sur les principes de confiance, d’impartialité et de protection. Il
est adaptable, et son utilisation variera en fonction de la taille, de la nature, de la complexité et de
la juridiction des activités de l’organisme. Il peut aider un organisme à améliorer sa politique et ses
procédures d’alerte existantes, ou à se conformer à la législation applicable aux lanceurs d’alerte.
Le présent document adopte la «structure harmonisée» (c’est-à-dire succession des articles, texte
commun et terminologie commune) élaborée par l’ISO afin d’améliorer l’alignement entre les Normes
internationales de systèmes de management. Les organismes peuvent adopter le présent document
comme guide autonome pour leur organisation ou en même temps que d’autres normes de systèmes de
vi © ISO 2021 – Tous droits réservés

---------------------- Page: 6 ----------------------
ISO 37002:2021(F)

management, notamment pour répondre aux exigences relatives aux alertes dans d’autres systèmes de
management ISO.
La Figure 1 est une représentation conceptuelle d’un système recommandé de management des alertes,
montrant comment les principes de confiance, d’impartialité et de protection couvrent tous les éléments
d’un tel système.
Figure 1 — Vue d’ensemble d’un système de management des alertes
© ISO 2021 – Tous droits réservés vii

---------------------- Page: 7 ----------------------
NORME INTERNATIONALE ISO 37002:2021(F)
Systèmes de management des alertes — Lignes directrices
1 Domaine d’application
Le présent document fournit des lignes directrices pour établir, mettre en œuvre et tenir à jour un
système de management des alertes efficace, fondé sur les principes de confiance, d’impartialité et de
protection et comprenant les quatre étapes suivantes:
a) réception des signalements d’actes répréhensibles;
b) évaluation des signalements d’actes répréhensibles;
c) traitement des signalements d’actes répréhensibles;
d) clôture des cas d’alertes.
Les lignes directrices du présent document sont génériques et destinées à s’appliquer à tous les
organismes, indépendamment du type, de la taille et de la nature de l’activité, qu’ils évoluent dans le
secteur public, privé ou à but non lucratif.
L’étendue de l’application de ces lignes directrices dépend des facteurs décrits en 4.1, 4.2 et 4.3. Le
système de management des alertes peut être autonome ou peut être utilisé dans le cadre d’un système
de management global.
2 Références normatives
Le présent document ne contient aucune référence normative.
3 Termes et définitions
Pour les besoins du présent document, les termes et définitions suivants s’appliquent.
L’ISO et l’IEC tiennent à jour des bases de données terminologiques destinées à être utilisées en
normalisation, consultables aux adresses suivantes:
— ISO Online browsing platform: disponible à l’adresse https:// www .iso .org/ obp
— IEC Electropedia: disponible à l’adresse http:// www .electropedia .org/
3.1
système de management
ensemble d’éléments corrélés ou en interaction d’un organisme (3.2), utilisés pour établir des politiques
(3.7) et des objectifs (3.25), ainsi que des processus (3.27) de façon à atteindre lesdits objectifs
Note 1 à l'article: Un système de management peut traiter d’un seul ou de plusieurs domaines.
Note 2 à l'article: Les éléments du système de management comprennent la structure, les rôles et responsabilités,
la planification et le fonctionnement de l’organisme.
Note 3 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
© ISO 2021 – Tous droits réservés 1

---------------------- Page: 8 ----------------------
ISO 37002:2021(F)

3.2
organisme
personne ou groupe de personnes ayant un rôle avec les responsabilités, l’autorité et les relations lui
permettant d’atteindre ses objectifs (3.25)
Note 1 à l'article: Le concept d’organisme englobe, sans toutefois s’y limiter, les travailleurs indépendants,
les compagnies, les sociétés, les firmes, les entreprises, les administrations, les partenariats, les organisations
caritatives ou les institutions, ou bien une partie ou une combinaison des entités précédentes, à responsabilité
limitée ou ayant un autre statut, de droit public ou privé.
Note 2 à l'article: Si l’organisme fait partie d’une entité plus grande, le terme «organisme» fait uniquement
référence à la partie de cette entité faisant partie intégrante du périmètre du système de management (3.1) des
alertes (3.10).
Note 3 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
3.3
personnel
directeurs, agents, employés, contractuels ou personnel intérimaire et bénévoles de l’organisme (3.2)
[SOURCE: ISO 37001:2016, 3.25, modifiée — Les Notes 1 et 2 à l’article ont été supprimées.]
3.4
partie intéressée (terme recommandé)
partie prenante (terme admis)
personne ou organisme (3.2) qui peut soit influer sur une décision ou une activité, soit être influencé(e)
ou s’estimer influencé(e) par une décision ou une activité
Note 1 à l'article: Une partie intéressée peut être interne ou externe à l’organisme.
Note 2 à l'article: Les parties intéressées peuvent inclure, sans toutefois s’y limiter, les auteurs de signalements,
les personnes faisant l’objet de signalements, les témoins, le personnel (3.3), les représentants des travailleurs,
les fournisseurs, les tiers, le public, les médias, les organismes de réglementation et de contrôle et l’organisme
dans son ensemble.
Note 3 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO. La définition originale a été modifiée par l’ajout des
Notes 1 et 2 à l’article.
3.5
direction
personne ou groupe de personnes qui oriente et dirige un organisme (3.2) au plus haut niveau
Note 1 à l'article: La direction a le pouvoir de déléguer son autorité et de fournir des ressources au sein de
l’organisme.
Note 2 à l'article: Si le périmètre du système de management (3.1) ne couvre qu’une partie de l’organisme, alors la
direction s’adresse à ceux qui orientent et dirigent cette partie de l’organisme.
Note 3 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
3.6
organe de gouvernance
personne ou groupe de personnes qui détient la responsabilité (3.30) ultime de l’ensemble de l’organisme
(3.2)
Note 1 à l'article: Chaque entité organisationnelle dispose d’un organe de gouvernance, qu’il soit ou non
explicitement établi.
Note 2 à l'article: Un organe de gouvernance peut notamment comprendre un conseil d’administration, les
comités du conseil d’administration, un conseil de surveillance ou des administrateurs.
2 © ISO 2021 – Tous droits réservés

---------------------- Page: 9 ----------------------
ISO 37002:2021(F)

[SOURCE: ISO/IEC 38500:2015, 2.9, modifiée — Les mots «détient la responsabilité ultime» remplacent
«est responsable du fonctionnement et de la conformité de» et les Notes 1 et 2 à l’article ont été ajoutées.]
3.7
politique
intentions et orientations d’un organisme (3.2) telles qu’elles sont officiellement formulées par sa
direction (3.5)
Note 1 à l'article: Ceci constitue l’un des termes communs et l’une des principales définitions de la structure
harmonisée des normes de systèmes de management ISO.
3.8
acte répréhensible
action(s) ou omission(s) pouvant causer un préjudice
Note 1 à l'article: Les actes répréhensibles peuvent comprendre, sans toutefois s’y limiter, les pratiques suivantes:
— violation de la loi (nationale ou internationale), comme la fraude, la corruption, y compris les pots-de-vin;
— violation du code de conduite de l’organisme (3.2) ou d’un autre code de conduite pertinent, violation des
politiques de l’organisme (3.7);
— négligence grave, intimidation, harcèlement, discrimination, utilisation non autorisée de fonds ou de
ressources, abus d’autorité, conflit d’intérêts, gaspillage flagrant ou mauvaise gestion;
— les actions ou omissions entraînant un dommage ou un risque de préjudice pour les droits de l’homme,
l’environnement, la santé et la sécurité publiques, des pratiques de travail sûres ou l’intérêt public.
Note 2 à l'article: Un acte répréhensible ou le préjudice qui en résulte peut s’être produit dans le passé, être en
train de se produire ou peut se produire à l’avenir.
Note 3 à l'article: Le préjudice potentiel peut être déterminé par référence à un événement unique ou à une série
d’événements.
3.9
lanceur d’alerte
personne qui signale des actes répréhensibles (3.8) présumés ou réels et a des motifs raisonnables de
croire que les informations sont exactes au moment du signalement
Note 1 à l'article: Un motif raisonnable est une conviction d’un individu s’appuyant sur l’observation, l’expérience
ou des informations en sa possession qu’une personne dans les mêmes circonstances partagerait également.
Note 2 à l'article: Les exemples de lanceurs d’alerte incluent ce qui suit, sans toutefois s’y limiter:
— le personnel (3.3) d’un organisme (3.2);
— le personnel de parties externes, y compris les personnes morales, avec lesquelles l’organisme a, ou
prévoit d’établir, une certaine forme de relation d’affaires, y compris, sans toutefois s’y limiter, les clients,
les entreprises communes (ou joint-ventures), les partenaires d’entreprise commune, les partenaires
de consortium, les prestataires de services externalisés, les sous-traitants, les consultants, les sous-
contractants, les fournisseurs, les revendeurs, les conseillers, les agents, les distributeurs, les représentants,
les intermédiaires et les investisseurs;
— d’autres personnes comme les représentants syndicaux;
— toute personne ayant occupé ou devant occuper une fonction mentionnée dans cette définition.
3.10
alerte
signalement d’actes répréhensibles (3.8) présumés ou réels par un lanceur d’alerte (3.9)
Note 1 à l'article: Un signalement d’actes répréhensibles peut être verbal, en personne, par écrit ou sous forme
électronique ou numérique.
Note 2 à l'article: Il est courant de faire une distinction entre:
© ISO 2021 – Tous droits réservés 3

---------------------- Page: 10 ----------------------
ISO 37002:2021(F)

— une alerte transparente où le lanceur d’alerte divulgue des informations sans dissimuler son identité ou
exiger que son identité soit gardée secrète;
— une alerte confidentielle où l’identité et toute information pouvant permettre d’identifier le lanceur d’alerte
sont connues du destinataire mais ne sont pas divulguées sans le consentement du lanceur d’alerte, sauf si la
loi l’exige;
— une alerte anonyme où l’information est reçue sans que le lanceur d’alerte ne révèle son identité.
Note 3 à l'article: Les organismes (3.2) peuvent utiliser un autre terme tel que «procédure d’alerte», «alerte
interne», «alerte professionnelle» ou «whistleblowing» ou un équivalent.
3.11
fonction de management des alertes
personne(s) qui détien(nen)t la responsabilité et l’autorité du fonctionnement du système de management
(3.1) des alertes (3.10)
3.12
triage
évaluation du signalement initial d’actes répréhensibles (3.8) à des fins de catégorisation, de prise de
mesures préliminaires, de priorisation et d’affectation pour traitement ultérieur
Note 1 à l'article: Les facteurs suivants peuvent être pris en compte: la probabilité et la gravité de l’impact
des actes répréhensibles sur le personnel (3.3), l’organisme (3.2) et les parties intéressées (3.4), y compris les
dommages à la réputation, financiers, environnementaux, humains ou autres.
3.13
mesure de représailles
menace, intention, action ou omission, directe ou indirecte, susceptible de porter préjudice à un lanceur
...

NORMA ISO
INTERNACIONAL 37002
Traducción oficial
Primera edición
2021-07
Official translation
Traduction officielle
Sistemas de gestión de la denuncia de
irregularidades — Directrices
Whistleblowing management systems — Guidelines
Systèmes de management des alertes — Lignes directrices
Publicado por la Secretaría Central de ISO en Ginebra, Suiza, como
traducción oficial en español avalada por el Grupo de Trabajo Spanish
Translation Task Force (STTF), que ha certificado la conformidad en
relación con las versiones inglesa y francesa.
Número de referencia
ISO 37002:2021 (traducción oficial)
© ISO 2021

---------------------- Page: 1 ----------------------
ISO 37002:2021 (traducción oficial)
DOCUMENTO PROTEGIDO POR COPYRIGHT
© ISO 2021
Reservados los derechos de reproducción. Salvo prescripción diferente, no podrá reproducirse ni utilizarse ninguna parte de
esta publicación bajo ninguna forma y por ningún medio, electrónico o mecánico, incluidos el fotocopiado, o la publicación en
Internet o una Intranet, sin la autorización previa por escrito. La autorización puede solicitarse a ISO en la siguiente dirección o al
organismo miembro de ISO en el país solicitante.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Publicado en Suiza
Traducción oficial/Official translation/Traduction officielle
ii
  © ISO 2021 – Todos los derechos reservados

---------------------- Page: 2 ----------------------
ISO 37002:2021 (traducción oficial)
Índice Página
Prólogo .v
Prólogo de la versión en español. vi
Introducción .vii
1 Objeto y campo de aplicación . 1
2 Referencias normativas . 1
3 Términos y definiciones .1
4 Contexto de la organización . 8
4.1 Comprensión de la organización y su contexto . 8
4.2 Comprensión de las necesidades y expectativas de las partes interesadas . 8
4.3 Determinación del alcance del sistema de gestión de la denuncia de irregularidades . 8
4.4 Sistema de gestión de la denuncia de irregularidades . 9
5 Liderazgo .10
5.1 Liderazgo y compromiso . 10
5.1.1 Órgano de gobierno . 10
5.1.2 Alta dirección . 10
5.2 Política de denuncia de irregularidades . 11
5.3 Roles, responsabilidades y autoridades .12
5.3.1 Alta dirección y órgano de gobierno .12
5.3.2 Función de gestión de la denuncia de irregularidades .13
5.3.3 Toma de decisiones delegada . 13
6 Planificación .14
6.1 Acciones para abordar riesgos y oportunidades . 14
6.2 Objetivos del sistema de gestión de la denuncia de irregularidades y planificación
para alcanzarlos . 14
6.3 Planificación de cambios . 15
7 Apoyo .15
7.1 Recursos . 15
7.2 Competencia . 16
7.3 Toma de conciencia . 16
7.3.1 Generalidades . 16
7.3.2 Medidas de formación y toma de conciencia del personal . 17
7.3.3 Formación para líderes y otros roles específicos . 18
7.4 Comunicación. 18
7.5 Información documentada . 19
7.5.1 Generalidades . 19
7.5.2 Creación y actualización de la información documentada . 19
7.5.3 Control de la información documentada. 20
7.5.4 Protección de datos .20
7.5.5 Confidencialidad . 21
8 Operación .22
8.1 Planificación y control operacional . 22
8.2 Recepción de denuncias de irregularidades . 24
8.3 Evaluación de denuncias de irregularidades . 25
8.3.1 Evaluación de la irregularidad denunciada . 25
8.3.2 Evaluación y prevención de riesgos de conducta perjudicial .26
8.4 Tratamiento de las denuncias de irregularidades . 27
8.4.1 Tratamiento de las irregularidades denunciadas . 27
8.4.2 Protección y apoyo al denunciante .28
8.4.3 Tratamiento de la conducta perjudicial .28
8.4.4 Protección de los sujetos de la denuncia .29
8.4.5 Protección de las partes interesadas pertinentes .29
Traducción oficial/Official translation/Traduction officielle
iii
© ISO 2021 – Todos los derechos reservados

---------------------- Page: 3 ----------------------
ISO 37002:2021 (traducción oficial)
8.5 Conclusión de casos de denuncia de irregularidades.29
9 Evaluación del desempeño .30
9.1 Seguimiento, medición, análisis y evaluación .30
9.1.1 Generalidades .30
9.1.2 Indicadores de evaluación .30
9.1.3 Fuentes de información . 31
9.2 Auditoría interna . 32
9.2.1 Generalidades . 32
9.2.2 Programa de auditoría interna . 32
9.3 Revisión por la dirección . 32
9.3.1 Generalidades . 32
9.3.2 Entradas para la revisión por la dirección . 33
9.3.3 Resultados de la revisión por la dirección . 33
10 Mejora .33
10.1 Mejora continua . 33
10.2 No conformidades y acciones correctivas . 33
Bibliografía.35
Traducción oficial/Official translation/Traduction officielle
iv
  © ISO 2021 – Todos los derechos reservados

---------------------- Page: 4 ----------------------
ISO 37002:2021 (traducción oficial)
Prólogo
ISO (Organización Internacional de Normalización) es una federación mundial de organismos
nacionales de normalización (organismos miembros de ISO). El trabajo de elaboración de las Normas
Internacionales se lleva a cabo normalmente a través de los comités técnicos de ISO. Cada organismo
miembro interesado en una materia para la cual se haya establecido un comité técnico, tiene el derecho
de estar representado en dicho comité. Las organizaciones internacionales, gubernamentales y no
gubernamentales, vinculadas con ISO, también participan en el trabajo. ISO colabora estrechamente
con la Comisión Electrotécnica Internacional (IEC) en todos los temas de normalización electrotécnica.
En la Parte 1 de las Directivas ISO/IEC se describen los procedimientos utilizados para desarrollar este
documento y aquellos previstos para su mantenimiento posterior. En particular debería tomarse nota
de los diferentes criterios de aprobación necesarios para los distintos tipos de documentos ISO. Este
documento ha sido redactado de acuerdo con las reglas editoriales de la Parte 2 de las Directivas ISO/
IEC (véase www.iso.org/directives).
Se llama la atención sobre la posibilidad de que algunos de los elementos de este documento puedan
estar sujetos a derechos de patente. ISO no asume la responsabilidad por la identificación de alguno
o todos los derechos de patente. Los detalles sobre cualquier derecho de patente identificado durante
el desarrollo de este documento se indicarán en la Introducción y/o en la lista ISO de declaraciones de
patente recibidas (véase www.iso.org/patents).
Cualquier nombre comercial utilizado en este documento es información que se proporciona para
comodidad del usuario y no constituye una recomendación.
Para una explicación de la naturaleza voluntaria de las normas, el significado de los términos específicos
de ISO y las expresiones relacionadas con la evaluación de la conformidad, así como la información
acerca de la adhesión de ISO a los principios de la Organización Mundial del Comercio (OMC) respecto a
los Obstáculos Técnicos al Comercio (OTC), véase www.iso.org/iso/foreword.html.
Este documento ha sido elaborado por el Comité Técnico ISO/TC 309, Gobernanza de las organizaciones.
Cualquier comentario o pregunta sobre este documento deberían dirigirse al organismo nacional de
normalización del usuario. En www.iso.org/members.html se puede encontrar un listado completo de
estos organismos.
Traducción oficial/Official translation/Traduction officielle
v
© ISO 2021 – Todos los derechos reservados

---------------------- Page: 5 ----------------------
ISO 37002:2021 (traducción oficial)
Prólogo de la versión en español
Este documento ha sido traducido por el Grupo de Trabajo Spanish Translation Task Force (STTF) del
Comité Técnico ISO/TC 309, Gobernanza de las organizaciones, en el que participan representantes de
los organismos nacionales de normalización y representantes del sector empresarial de los siguientes
países:
Argentina, Bolivia, Chile, Colombia, Costa Rica, Ecuador, El Salvador, España, Guatemala, Panamá, Perú,
Uruguay.
Esta traducción es parte del resultado del trabajo que el Grupo ISO/TC 309/STTF, viene desarrollando
desde su creación en el año 2021 para lograr la unificación de la terminología en lengua española en el
ámbito de la denuncia de irregularidades.
Traducción oficial/Official translation/Traduction officielle
vi
  © ISO 2021 – Todos los derechos reservados

---------------------- Page: 6 ----------------------
ISO 37002:2021 (traducción oficial)
Introducción
La denuncia de irregularidades es el acto de informar sobre sospechas de irregularidades o riesgo de
irregularidades. Los estudios y la experiencia demuestran que una gran proporción de irregularidades
llega al conocimiento de la organización afectada a través de la información que proporcionan personas
de dentro de la organización o cercanas a la misma.
Las organizaciones están considerando cada vez más la posibilidad de introducir o mejorar políticas y
procesos internos de denuncia de irregularidades en respuesta a la regulación o de forma voluntaria.
Este documento proporciona orientación a las organizaciones para establecer, implementar, mantener
y mejorar un sistema de gestión de la denuncia de irregularidades, con los siguientes resultados:
a) alentar y facilitar la denuncia de irregularidades;
b) apoyar y proteger a los denunciantes y otras partes interesadas involucradas;
c) asegurar que las denuncias de irregularidades se traten de manera adecuada y oportuna;
d) mejorar la cultura organizacional y la gobernanza;
e) reducir los riesgos de irregularidades.
Los beneficios potenciales para la organización incluyen:
— permitir que la organización identifique y aborde las irregularidades lo antes posible;
— ayudar a prevenir o minimizar la pérdida de activos y ayudar a la recuperación de activos perdidos;
— asegurar el cumplimiento de las políticas y los procedimientos organizacionales y las obligaciones
legales y sociales;
— atraer y retener al personal comprometido con los valores y la cultura de la organización;
— demostrar la aplicación de prácticas de gobernanza sólidas y éticas a la sociedad, los mercados, los
reguladores, los propietarios y otras partes interesadas.
Un sistema de gestión de la denuncia de irregularidades eficaz generará confianza organizacional al:
— demostrar el compromiso de los líderes para prevenir y tratar las irregularidades;
— alentar a las personas a presentar denuncias de irregularidades de manera temprana;
— reducir y prevenir el trato perjudicial a los denunciantes y otras personas implicadas;
— fomentar una cultura de apertura, transparencia, integridad y de rendición de cuentas.
Este documento proporciona orientación para que las organizaciones creen un sistema de gestión
de la denuncia de irregularidades basado en los principios de confianza, imparcialidad y protección.
Es adaptable y su uso variará con el tamaño, la naturaleza, la complejidad y la jurisdicción de las
actividades de la organización. Puede ayudar a una organización a mejorar su política y procedimientos
de denuncia de irregularidades, existentes, o a cumplir con la legislación aplicable en materia de
denuncia de irregularidades.
Este documento adopta la “estructura armonizada” (es decir, secuencia de capítulos, un texto
común y una terminología común) desarrollada por ISO para mejorar la alineación entre las Normas
Internacionales para los sistemas de gestión. Las organizaciones pueden adoptar este documento como
guía independiente o de forma conjunta con otras normas de sistemas de gestión, o incluso para abordar
los requisitos relacionados con la denuncia de irregularidades en otros sistemas de gestión de ISO.
Traducción oficial/Official translation/Traduction officielle
vii
© ISO 2021 – Todos los derechos reservados

---------------------- Page: 7 ----------------------
ISO 37002:2021 (traducción oficial)
La Figura 1 es una descripción general conceptual de un sistema de gestión de la denuncia de
irregularidades recomendado, que muestra cómo los principios de confianza, imparcialidad y protección
se superponen a todos los elementos de dicho sistema.
Figura 1 — Descripción general de un sistema de gestión de la denuncia de irregularidades
Traducción oficial/Official translation/Traduction officielle
viii
  © ISO 2021 – Todos los derechos reservados

---------------------- Page: 8 ----------------------
NORMA INTERNACIONAL ISO 37002:2021 (traducción oficial)
Sistemas de gestión de la denuncia de irregularidades —
Directrices
1 Objeto y campo de aplicación
Este documento proporciona directrices para establecer, implementar y mantener un sistema de
gestión de la denuncia de irregularidades eficaz basado en los principios de confianza, imparcialidad y
protección en los siguientes cuatro pasos:
a) recepción de las denuncias de irregularidades;
b) evaluación de las denuncias de irregularidades;
c) tratamiento de las denuncias de irregularidades;
d) conclusión de los casos de denuncia de irregularidades.
Las directrices de este documento son genéricas y están destinadas a ser aplicables a todas las
organizaciones, independientemente del tipo, tamaño, naturaleza de la actividad, y ya sea en los
sectores público, privado o sin fines de lucro.
El alcance de la aplicación de estas directrices depende de los factores especificados en los apartados
4.1, 4.2 y 4.3. El sistema de gestión de la denuncia de irregularidades puede ser independiente o puede
utilizarse como parte de un sistema de gestión general.
2 Referencias normativas
No hay referencias normativas en este documento.
3 Términos y definiciones
Para los fines de este documento, se aplican los términos y definiciones siguientes.
ISO e IEC mantienen bases de datos terminológicas para su utilización en normalización en las siguientes
direcciones:
— Plataforma de búsqueda en línea de ISO: disponible en https:// www .iso .org/ obp
— Electropedia de IEC: disponible en https:// www .electropedia .org/
3.1
sistema de gestión
conjunto de elementos de una organización (3.2) interrelacionados o que interactúan para establecer
políticas (3.7) y objetivos (3.25), así como procesos (3.27) para lograr estos objetivos
Nota 1 a la entrada: Un sistema de gestión puede abordar una sola disciplina o varias disciplinas.
Nota 2 a la entrada: Los elementos del sistema de gestión incluyen la estructura, los roles y responsabilidades, la
planificación y el funcionamiento de la organización.
Nota 3 a la entrada: Este constituye uno de los términos comunes y definiciones básicas de la estructura
armonizada para las normas de sistemas de gestión de ISO.
Traducción oficial/Official translation/Traduction officielle
1
© ISO 2021 – Todos los derechos reservados

---------------------- Page: 9 ----------------------
ISO 37002:2021 (traducción oficial)
3.2
organización
persona o grupo de personas que tiene sus propias funciones con responsabilidades, autoridades y
relaciones para lograr sus objetivos (3.25)
Nota 1 a la entrada: El concepto de organización incluye, pero no se limita a, comerciante individual, compañía,
corporación, firma, empresa, autoridad, asociación, organización benéfica o institución, o una parte o
combinación de estas, estén constituidas o no, públicas o privadas.
Nota 2 a la entrada: Si la organización es parte de una entidad más grande, el término "organización" se refiere
solo a la parte de la entidad más grande que está dentro del alcance del sistema de gestión (3.1) de la denuncia de
irregularidades (3.10).
Nota 3 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión de ISO.
3.3
personal
directores, funcionarios, empleados, personal temporal o trabajadores y voluntarios de la organización
(3.2)
[FUENTE: ISO 37001:2016, 3.25, modificada — Se han eliminado las Notas 1 y 2 a la entrada.]
3.4
parte interesada
persona u organización (3.2) que pueda afectar, verse afectado o percibirse como afectado por una
decisión o actividad
Nota 1 a la entrada: Una parte interesada puede ser interna o externa a la organización.
Nota 2 a la entrada: Las partes interesadas pueden incluir, pero no se limitan a, aquellos que realizan denuncias,
cualquier sujeto de esas denuncias, testigos, personal (3.3), representantes de los trabajadores, proveedores,
terceras partes, público, medios de comunicación, reguladores y la organización en su conjunto.
Nota 3 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión de ISO. La definición original ha sido modificada agregando
las Notas 1 y 2 a la entrada.
3.5
alta dirección
persona o grupo de personas que dirige y controla una organización (3.2) al más alto nivel
Nota 1 a la entrada: La alta dirección tiene el poder de delegar autoridad y proporcionar recursos dentro de la
organización.
Nota 2 a la entrada: Si el alcance del sistema de gestión (3.1) comprende solo una parte de una organización,
entonces la alta dirección se refiere a aquellos que dirigen y controlan esa parte de la organización.
Nota 3 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión de ISO.
3.6
órgano de gobierno
persona o grupo de personas que tiene que rendir cuentas (3.30) en última instancia en nombre de toda
la organización (3.2)
Nota 1 a la entrada: Cada entidad organizacional tiene un órgano de gobierno, esté o no establecido explícitamente.
Nota 2 a la entrada: Un órgano de gobierno puede incluir, pero no está limitado a, un consejo directivo, comités de
control, consejo de control o administradores.
Traducción oficial/Official translation/Traduction officielle
2
  © ISO 2021 – Todos los derechos reservados

---------------------- Page: 10 ----------------------
ISO 37002:2021 (traducción oficial)
[FUENTE: ISO/IEC 38500:2015, 2.9, modificado — Las palabras “tienen que rendir cuentas en última
instancia en nombre de” han reemplazado a “responsable del desempeño y conformidad con” y se han
agregado las Notas 1 y 2 a la entrada.]
3.7
política
intenciones y dirección de una organización (3.2) según lo expresado formalmente por su alta dirección
(3.5)
Nota 1 a la entrada: Este constituye uno de los términos comunes y definiciones esenciales de la estructura
armonizada para las normas de sistemas de gestión de ISO.
3.8
irregularidad
acción u omisión que puede causar daño
Nota 1 a la entrada: Las irregularidades pueden incluir, entre otras, las siguientes:
— incumplimiento de la ley (nacional o internacional), como fraude, corrupción, incluido el soborno;
— incumplimiento del código de conducta la organización (3.2) o de otro código de conducta pertinente,
incumplimiento de las políticas (3,7) de la organización;
— negligencia grave, intimidación, acoso, discriminación, uso no autorizado de fondos o recursos, abuso de
autoridad, conflicto de intereses, despilfarro o mala administración;
— acciones u omisiones que resulten en daño o riesgo de daño a los derechos humanos, el medio ambiente, la
salud y la seguridad pública, las prácticas laborales seguras o el interés público.
Nota 2 a la entrada: Las irregularidades o el daño resultante pueden haber ocurrido en el pasado, estar sucediendo
actualmente u ocurrir en el futuro.
Nota 3 a la entrada: El daño potencial se puede determinar por referencia a un solo evento o una serie de eventos.
3.9
denunciante
persona que informa sobre sospechas de irregularidades (3.8) o sobre irregularidades reales y tiene una
creencia razonable de que la información es verdadera en el momento de informar
Nota 1 a la entrada: Una creencia razonable es una creencia sostenida por un individuo basada en la observación,
experiencia o información conocida por ese individuo, que también sería sostenida por otra persona en las
mismas circunstancias.
Nota 2 a la entrada: Los ejemplos de denunciantes incluyen, entre otros, los siguientes:
— personal 3.3) dentro de una organización (3.2);
— personal de partes externas, incluidas las personas jurídicas, con las que la organización ha establecido,
o planea establecer, alguna forma de relación de negocios, incluidos, entre otros, clientes, consumidores,
alianzas empresariales, socios de empresas conjuntas, socios de consorcios, proveedores de subcontratación,
contratistas, consultores, subcontratistas, proveedores, vendedores, asesores, agentes, distribuidores,
representantes, intermediarios e inversores;
— otras personas como representantes sindicales;
— cualquier persona que haya desempeñado o vaya a desempeñar un puesto de los establecidos en esta
definición.
3.10
denuncia de irregularidades
información sobre sospechas de irregularidades (3.8) o irregularidades reales aportada por un
denunciante (3.9)
Nota 1 a la entrada: Una denuncia de irregularidades puede presentarse de forma verbal, en persona, por escrito
o en formato elect
...

FINAL
INTERNATIONAL ISO/FDIS
DRAFT
STANDARD 37002
ISO/TC 309
Whistleblowing management
Secretariat: BSI
systems — Guidelines
Voting begins on:
2021­04­26
Systèmes de management des alertes — Lignes directrices
Voting terminates on:
2021­06­21
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
ISO/FDIS 37002:2021(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN­
DARDS TO WHICH REFERENCE MAY BE MADE IN
©
NATIONAL REGULATIONS. ISO 2021

---------------------- Page: 1 ----------------------
ISO/FDIS 37002:2021(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH­1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/FDIS 37002:2021(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 7
4.1 Understanding the organization and its context . 7
4.2 Understanding the needs and expectations of interested parties . 8
4.3 Determining the scope of the whistleblowing management system . 8
4.4 Whistleblowing management system . 9
5 Leadership . 9
5.1 Leadership and commitment . 9
5.1.1 Governing body . 9
5.1.2 Top management .10
5.2 Whistleblowing policy .10
5.3 Roles, responsibilities and authorities .11
5.3.1 Top management and governing body . .11
5.3.2 Whistleblowing management function .12
5.3.3 Delegated decision­making .12
6 Planning .13
6.1 Actions to address risks and opportunities .13
6.2 Whistleblowing management system objectives and planning to achieve them .13
6.3 Planning of changes .14
7 Support .14
7.1 Resources .14
7.2 Competence .14
7.3 Awareness .15
7.3.1 General.15
7.3.2 Personnel training and awareness measures .15
7.3.3 Training for leaders and other specific roles .16
7.4 Communication .17
7.5 Documented information .18
7.5.1 General.18
7.5.2 Creating and updating documented information .18
7.5.3 Control of documented information .18
7.5.4 Data protection . .19
7.5.5 Confidentiality .19
8 Operation .20
8.1 Operational planning and control .20
8.2 Receiving reports of wrongdoing .22
8.3 Assessing reports of wrongdoing .23
8.3.1 Assessing the reported wrongdoing .23
8.3.2 Assessing and preventing risks of detrimental conduct .24
8.4 Addressing reports of wrongdoing.25
8.4.1 Addressing the reported wrongdoing .25
8.4.2 Protecting and supporting the whistleblower .26
8.4.3 Addressing detrimental conduct.26
8.4.4 Protecting the subject(s) of a report . .27
8.4.5 Protecting relevant interested parties .27
8.5 Concluding whistleblowing cases .27
9 Performance evaluation .28
© ISO 2021 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/FDIS 37002:2021(E)

9.1 Monitoring, measurement, analysis and evaluation .28
9.1.1 General.28
9.1.2 Indicators for evaluation .28
9.1.3 Information sources .29
9.2 Internal audit .30
9.2.1 General.30
9.2.2 Internal audit programme .30
9.3 Management review .30
9.3.1 General.30
9.3.2 Management review inputs .30
9.3.3 Management review results .31
10 Improvement .31
10.1 Continual improvement .31
10.2 Nonconformity and corrective action .31
Bibliography .32
iv © ISO 2021 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/FDIS 37002:2021(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non­governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO 2021 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/FDIS 37002:2021(E)

Introduction
Whistleblowing is the act of reporting suspected wrongdoing or risk of wrongdoing. Studies and
experience demonstrate that a large proportion of wrongdoing comes to the attention of the affected
organization via reports from persons within or close to the organization.
Organizations are increasingly considering introducing or improving internal whistleblowing policies
and processes in response to regulation or on a voluntary basis.
This document provides guidance to organizations for establishing, implementing, maintaining and
improving a whistleblowing management system, with the following outcomes:
a) encouraging and facilitating reporting of wrongdoing;
b) supporting and protecting whistleblowers and other interested parties involved;
c) ensuring reports of wrongdoing are dealt with in a proper and timely manner;
d) improving organizational culture and governance;
e) reducing the risks of wrongdoing.
Potential benefits for the organization include:
— allowing the organization to identify and address wrongdoing at the earliest opportunity;
— helping prevent or minimize loss of assets and aiding recovery of lost assets;
— ensuring compliance with organizational policies, procedures, and legal and social obligations;
— attracting and retaining personnel committed to the organization’s values and culture;
— demonstrating sound, ethical governance practices to society, markets, regulators, owners and
other interested parties.
An effective whistleblowing management system will build organizational trust by:
— demonstrating leadership commitment to preventing and addressing wrongdoing;
— encouraging people to come forward early with reports of wrongdoing;
— reducing and preventing detrimental treatment of whistleblowers and others involved;
— encouraging a culture of openness, transparency, integrity and accountability.
This document provides guidance for organizations to create a whistleblowing management system
based on the principles of trust, impartiality and protection. It is adaptable, and its use will vary with the
size, nature, complexity and jurisdiction of the organization’s activities. It can assist an organization to
improve its existing whistleblowing policy and procedures, or to comply with applicable whistleblowing
legislation.
This document adopts the “harmonized structure” (i.e. clause sequence, common text and common
terminology) developed by ISO to improve alignment among International Standards for management
systems. Organizations may adopt this document as stand-alone guidance for their organization or along
with other management system standards, including to address whistleblowing-related requirements
in other ISO management systems.
Figure 1 is a conceptual overview of a recommended whistleblowing management system showing how
the principles of trust, impartiality and protection overlay all elements of such a system.
vi © ISO 2021 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/FDIS 37002:2021(E)

Figure 1 — Overview of a whistleblowing management system
© ISO 2021 – All rights reserved vii

---------------------- Page: 7 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/FDIS 37002:2021(E)
Whistleblowing management systems — Guidelines
1 Scope
This document gives guidelines for establishing, implementing and maintaining an effective
whistleblowing management system based on the principles of trust, impartiality and protection in the
following four steps:
a) receiving reports of wrongdoing;
b) assessing reports of wrongdoing;
c) addressing reports of wrongdoing;
d) concluding whistleblowing cases.
The guidelines of this document are generic and intended to be applicable to all organizations,
regardless of type, size, nature of activity, and whether in the public, private or not-for profit sectors.
The extent of application of these guidelines depends on the factors specified in 4.1, 4.2 and 4.3.
The whistleblowing management system can be stand-alone or can be used as part of an overall
management system.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
management system
set of interrelated or interacting elements of an organization (3.2) to establish policies (3.7) and
objectives (3.25), as well as processes (3.27) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities,
planning and operation.
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
© ISO 2021 – All rights reserved 1

---------------------- Page: 8 ----------------------
ISO/FDIS 37002:2021(E)

3.2
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives (3.25)
Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated
or not, public or private.
Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the
larger entity that is within the scope of the whistleblowing (3.10) management system (3.1).
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.3
personnel
organization’s (3.2) directors, officers, employees, temporary staff or workers, and volunteers
[SOURCE: ISO 37001:2016, 3.25, modified — Notes 1 and 2 to entry have been deleted.]
3.4
interested party (preferred term)
stakeholder (admitted term)
person or organization (3.2) that can affect, be affected by, or perceive itself to be affected by a decision
or activity
Note 1 to entry: An interested party can be internal or external to the organization.
Note 2 to entry: Interested parties can include, but are not limited to, those who make reports, any subjects
of those reports, witnesses, personnel (3.3), worker representatives, suppliers, third parties, public, media,
regulators and the organization as a whole.
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards. The original definition has been modified by adding Notes 1 and 2 to entry.
3.5
top management
person or group of people who directs and controls an organization (3.2) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the
organization.
Note 2 to entry: If the scope of the management system (3.1) covers only part of an organization, then top
management refers to those who direct and control that part of the organization.
Note 3 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.6
governing body
person or group of people who have ultimate accountability (3.30) for the whole organization (3.2)
Note 1 to entry: Every organizational entity has one governing body, whether or not it is explicitly established.
Note 2 to entry: A governing body can include, but is not limited to, a board of directors, committees of the board,
a supervisory board or trustees.
[SOURCE: ISO/IEC 38500:2015, 2.9, modified — The words “have ultimate accountability for” have
replaced “accountable for the performance and conformance of” and Notes 1 and 2 to entry have
been added.]
2 © ISO 2021 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/FDIS 37002:2021(E)

3.7
policy
intentions and direction of an organization (3.2) as formally expressed by its top management (3.5)
Note 1 to entry: This constitutes one of the common terms and core definitions of the harmonized structure for
ISO management system standards.
3.8
wrongdoing
action(s) or omission(s) that can cause harm
Note 1 to entry: Wrongdoing can include, but is not limited to, the following:
— breach of law (national or international), such as fraud, corruption including bribery;
— breach of the organization’s (3.2) or other relevant code of conduct, breach of organization policies (3.7),
discrimination;
— gross negligence, bullying, harassment, unauthorized use of funds or resources, abuse of authority, conflict
of interest, gross waste or mismanagement;
— actions or omissions resulting in damage or risk of harm to human rights, the environment, public health and
safety, safe work-practices or the public interest.
Note 2 to entry: Wrongdoing or the resulting harm can have happened in the past, is currently happening or can
happen in the future.
Note 3 to entry: Potential harm can be determined by reference to a single event or series of events.
3.9
whistleblower
person who reports suspected or actual wrongdoing (3.8) and has reasonable belief that the information
is true at the time of reporting
Note 1 to entry: Reasonable belief is a belief held by an individual based on observation, experience or information
known to that individual, which would also be held by a person in the same circumstances.
Note 2 to entry: Examples of whistleblowers include, but are not limited to, the following:
— personnel (3.3) within an organization (3.2);
— external parties, including legal persons, with whom the organization has established, or plans to establish,
some form of business relationship including, but not limited to, clients, customers, joint ventures, joint
venture partners, consortium partners, outsourcing providers, contractors, consultants, sub­contractors,
suppliers, vendors, advisors, agents, distributors, representatives, intermediaries and investors;
— other persons such as union representatives;
— any person formerly or prospectively in a position set out in this definition.
3.10
whistleblowing
reporting of suspected or actual wrongdoing (3.8) by a whistleblower (3.9)
Note 1 to entry: A report of wrongdoing can be verbal, in person, in writing or in an electronic or digital format.
Note 2 to entry: It is common to distinguish:
— open whistleblowing, where the whistleblower discloses information without withholding their identity or
requiring that their identity be kept secret;
— confidential whistleblowing, where the identity of the whistleblower and any information that can identify
them is known by the recipient but is not disclosed to anyone beyond a need to know basis without the
whistleblower’s consent, unless required by law;
© ISO 2021 – All rights reserved 3

---------------------- Page: 10 ----------------------
ISO/FDIS 37002:2021(E)

— anonymous whistleblowing, where information is received without the whistleblower disclosing their
identity.
Note 3 to entry: Organizations (3.2) can use an alternative term such as “speak up” or “raise a concern”, or an
equivalent.
3.11
whistleblowing management function
person(s) with the responsibility and authority for the operation of the whistleblowing (3.10)
management system (3.1)
3.12
triage
assessment of the initial report of wrongdoing (3.8) for the purposes of categorization, taking
preliminary measures, prioritization and assignment for further handling
Note 1 to entry: The following factors can be considered: likelihood and severity of impact of wrongdoing or
suspected wrongdoing on the personnel (3.3), organization (3.2) and interested party (3.4), including reputational,
financial, environmental, human or other damages.
3.13
detrimental conduct
threatened, proposed or actual, direct or indirect act or omission that can result in harm to a
whistleblower (3.9) or other relevant interested party (3.4), related to whistleblowing (3.10)
Note 1 to entry: Harm includes any adverse consequence, whether work-related or personal, including dismissal,
suspension, demotion, transfer, change in duties, alteration of working conditions, adverse performance (3.26)
ratings, disciplinary proceedings, reduced opportunity for advancement, denial of services, blacklisting,
boycotting, damage to reputation, disclosing the whistleblower’s identity, financial loss, prosecution or legal
action, harassment, isolation, imposition of any form of physical or psychological harm.
Note 2 to entry: Detrimental conduct includes retaliation, reprisal, retribution, deliberate action or omissions,
done knowingly or recklessly to cause harm to a whistleblower or other relevant parties.
Note 3 to entry: Detrimental conduct also includes the failure to prevent or to minimize harm by fulfilling a
reasonable standard of care at any step of the whistleblowing process (3.27).
Note 4 to entry: Action to deal with a whistleblower’s own wrongdoing (3.8), performance or management,
unrelated to their role in whistleblowing, is not detrimental conduct for the purposes of this document.
Note 5 to entry: Other relevant interested parties can include prospective or perceived whistleblowers, relatives,
associates of a whistleblower, persons who have provided support to a whistleblower, and any person involved in
a whistleblowing process, including a legal entity.
3.14
investigation
systematic, independent and documented process (3.27) for establishing facts and evaluating them
objectively to determine if wrongdoing (3.8) has occurred, is occurring or is likely to occur, and its extent
Note 1 to entry: An investigatio
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.