Is this protocol ISO 37002 aligned?

Yes. ISO 37002:2021 sets out guidelines for whistleblowing management systems and structures investigations into receive, assess, address, and conclude phases. The protocol below follows that structure and adds the specific deadlines from EU Directive 2019/1937 (7-day acknowledgement, 3-month feedback).

Can the protocol be used by external counsel?

Yes. The protocol is drafted so an external lawyer engaged as investigator can adopt it as their working procedure. The privilege analysis at Step 4 is the key clause for external counsel.

What happens if an investigation crosses jurisdictions?

Step 5 of the protocol addresses preservation; for cross-jurisdiction investigations, preservation must respect each jurisdiction's data-protection rules. The protocol references a separate cross-border-discovery checklist that is provided to Confidly Pro and Multi-Entity customers.

Free template · Updated May 2026

Whistleblower Investigation Protocol

A 12-step investigation protocol covering intake, triage, evidence preservation, witness interviews, subject interviews, findings, closure, feedback, remediation, and retention. Aligned with ISO 37002:2021 and EU Directive 2019/1937.

Purpose and scope

This Protocol applies to every report received through [Organisation]'s whistleblowing channel that requires investigation. It is intended for the case handler, the investigation team, and any external counsel engaged to assist. It is a procedural standard, not a substitute for judgment.

Step 1: Intake and case opening (Day 0)

The report arrives through the channel and receives a server-issued case code in the form WB-XXXX-YYYY. The case handler verifies that the report has been classified by category (harassment, fraud, ABC, safety, accounting, data protection, other) and by initial severity. The audit log records the case-opening action.

Step 2: Acknowledgement within 7 days (Art. 9(1)(b))

The case handler sends an acknowledgement to the reporter through the case timeline no later than 7 calendar days after intake. The acknowledgement uses the standard template (see Acknowledgement Message) and is recorded in the audit log.

Step 3: Conflict-of-interest check (Day 1-3)

Before substantive work begins, the case handler verifies their independence from the matter. The check is documented. Where a conflict exists, the named alternate handler takes over. For cases implicating senior management, escalation to the audit committee or supervisory board is initiated.

Step 4: Investigation plan and privilege assessment (Day 3-14)

An investigation plan is drafted within two weeks of intake. The plan includes:

A neutral statement of the alleged conduct.
The rules (statute, contract, code) potentially breached.
Sources of evidence (documents, system logs, calendars, building access, chat).
Witness list in order of distance from the subject (peripheral first).
Privilege assessment: which workstreams will be conducted under attorney-client privilege, and how privilege is preserved.
Timeline anchored to the 3-month substantive-feedback deadline.
Decision-rights matrix.

The plan is approved by the Head of Compliance (or by the audit committee chair for senior-management cases) before substantive work proceeds. Revisions to the plan are versioned in the case file.

Step 5: Evidence preservation (Day 3-7)

The first concrete act is preservation. The case handler issues a legal hold to relevant data sources (email accounts, shared drives, chat logs, calendar, building access logs) before anyone learns an investigation is under way. Cryptographic hashes of preserved datasets are recorded. Access is logged. Preservation precedes collection by design.

Step 6: Peripheral witness interviews (Day 14-45)

Interviews proceed in order of distance from the subject: people who saw the conduct from outside, then those closer to it, then those reporting to the subject. Each interview follows the Interview Protocol: opening, free narrative, specific questions, closing. Notes are signed and dated; a memorandum follows within 48 hours.

Step 7: Subject interview (Day 45-60)

The subject is interviewed after the documentary evidence and witness accounts are understood. The subject is informed of the substance of the allegations (without disclosing the reporter's identity, per Article 16). Their account is taken in good faith; points of agreement and disagreement are documented. Article 22(1) of the Directive protects the rights of the subject and is operationalised here.

Step 8: Findings memorandum (Day 60-75)

The investigator drafts a findings memorandum containing:

Scope of the investigation.
Methodology and evidence reviewed.
Factual findings, numbered.
Rule analysis (the conduct against the rule).
Conclusion on each allegation (substantiated, partially substantiated, unsubstantiated).
Residual uncertainties.

The standard of proof is the balance of probabilities; this is stated explicitly. The memorandum is drafted under privilege where applicable.

Step 9: Closure recommendation and panel review (Day 75-85)

The investigator recommends one of three outcomes per allegation: substantiated, partially substantiated, unsubstantiated. The recommendation is reviewed by a closure panel (Head of Compliance plus one other senior officer not in the chain of command of the subject) and approved or revised. The approval is recorded. Criminal-conduct conclusions trigger consultation with legal counsel on referral to authorities.

Step 10: Substantive feedback to reporter (Day 90)

Within three months of acknowledgement, the reporter receives substantive feedback through the case timeline (see Substantive Feedback Message). Feedback states the actions envisaged or taken and the grounds; it does not disclose privileged material or the identity of any subject. Where the deadline will be missed, the reporter is informed of the extension before the original deadline passes.

Step 11: Remedial action (Day 90+)

Where allegations are substantiated, remedial action follows: HR consequences for the subject (disciplinary, termination, demotion), policy or training fixes, system controls, or referral to authorities. Each action is logged and linked to the case.

Step 12: Retention, closure file, and post-mortem (Day 90-100)

The case is closed in the case-management system. Case data is retained per the retention schedule (see Retention Schedule). The audit log persists beyond the retention of case content. A quarterly post- mortem review across all closed cases identifies patterns and feeds the next risk assessment cycle.

Quality controls

The 7-day acknowledgement is auto-tracked by the case-management system.
The 3-month feedback deadline is visible on the case timeline and requires an explicit handler action.
Every interview memorandum is signed and timestamped.
The closure panel is independent of the chain of command of the subject.
Quarterly sampling of closed cases by the Head of Compliance and the DPO.

Roles

Case handler: owns the case end-to-end; primary contact for the reporter.
Alternate handler: takes over where the primary handler has a conflict.
Lead investigator: where the case requires fieldwork beyond the case handler's capacity; often external counsel.
Closure panel: reviews and approves closure recommendations.
DPO: consulted on data-protection questions arising during the investigation.
Audit committee chair: escalation point for senior-management cases.

Adopted by [Organisation], date [yyyy-mm-dd]. Signed by [Name, Title]. Reviewed: [yyyy-mm-dd]. Next review: [yyyy-mm-dd].