Glossary
ISO 37002
The international standard for whistleblowing management systems, published by ISO in 2021. Unlike EU Directive 2019/1937, ISO 37002 is voluntary, but certification signals to regulators, customers, and investors that the organisation treats whistleblowing as a core compliance function. It is often combined with ISO 37001 (anti-bribery) and ISO 37301 (compliance management).
Full definition
ISO 37002:2021 provides guidance for establishing, implementing, and maintaining an effective whistleblowing management system. Unlike EU Directive 2019/1937, ISO 37002 is voluntary, but certification signals to regulators, customers, and investors that the organization treats whistleblowing as a core compliance function rather than a checkbox. Key clauses cover context, leadership commitment, planning, support (resources and training), operation (the reporting channel itself), performance evaluation, and continual improvement. Often combined with ISO 37001 (anti-bribery) and ISO 37301 (compliance management).
Related terms
- ISO 37001 The international standard for anti-bribery management systems, published by ISO in 2016. ISO 37001 specifies requirements for an anti-bribery management system with a documented policy, due diligence on third parties, training, and a 'raise concerns' procedure that maps directly to a whistleblowing channel. An effective whistleblowing channel is widely treated as a prerequisite for certification.
- ISO 37301 The international standard for compliance management systems, published in 2021. ISO 37301 defines requirements for organisations to identify their compliance obligations, manage compliance risk, and maintain a culture that enables compliance. Whistleblowing channels are explicitly listed as a control. Organisations often pursue triple certification across ISO 37001 (anti-bribery), ISO 37002 (whistleblowing), and ISO 37301.
- Compliance Management System The integrated framework of policies, procedures, training, and monitoring through which an organisation manages compliance risk. ISO 37301:2021 sets the canonical structure: identify obligations, assess risks, design controls (including a whistleblowing channel), train staff, monitor, review, improve. The CMS is typically owned by the compliance officer and reports to the board's audit committee.