ResourcesBlog
Implementing an ISO 37002 Compliant Whistleblowing Program
March 14, 2024
8
 min read

Implementing an ISO 37002 Compliant Whistleblowing Program

Branded cover for implementing an ISO 37002 compliant whistleblowing management system.
Table of contents
Join Whispli's newsletter
By clicking "Join newsletter", you acknowledge Whispli's Privacy Policy.

Content updated on May 7, 2026

The whistleblowing landscape has evolved significantly over the last few years. High-profile cases have prompted new whistleblower protection regulations and legislation across the globe. Among them, we can recall the Volkswagen Emissions Scandal (2015), involving the use of illegal software to cheat emissions tests on diesel vehicles. Whistleblowers within Volkswagen provided critical information that led to the exposure of the fraud. This scandal led to global regulatory investigation and legal measures. It also sparked talks about enhancing whistleblower protection laws and corporate responsibility. Other cases such as Edward Snowden and NSA Surveillance (2013) or the Facebook Cambridge Analytica Data Scandal (2018) highlighted fatal weaknesses in company culture, whistleblower protection, and data privacy.

In Europe, the EU Whistleblowing Directive and its transpositions into local legislation strengthen and harmonise whistleblower protection. Similar laws have been passed worldwide — in the United States, Australia, New Zealand, and Japan, most recently through Japan's 2025 amendment, which introduced criminal penalties for retaliation and takes effect by end of 2026.

Following these evolutions, organisations worldwide had to implement new whistleblowing platforms, or re-evaluate the effectiveness of their existing internal reporting systems.

Why was ISO 37002 created?

Providing a global standard for internal reporting

Management has become increasingly aware of the necessity of recognising and resolving internal concerns. However, many employees still prefer reporting publicly or not at all. There are several possible reasons for this behaviour:

  • Distrust in their organisation’s capacity to respond to their report
  • Unawareness of speak-up policies
  • Uncertainty if the report will be taken seriously
  • Doubts about confidentiality
  • Fear of victimisation or retaliation

Organisations must put systems, processes, and policies in place to support their whistleblowing program. But more often than not, they have no experience and do not know where to start. This is where ISO 37002 comes in, providing guidance to implement an efficient and compliant whistleblowing program to address whistleblowers’ real and valid concerns.

Guide & Template

RFP Template for a Whistleblowing Platform

Structure your whistleblowing platform selection and compare vendors on clear, objective criteria.

Download the guide

Whistleblowing guidelines and certifications ecosystem

International certifications

Among global standards and certifications, we can highlight three international norms related to whistleblowing:

  1. ISO 37002 → Whistleblowing management systems
  2. ISO 37301 → Compliance management systems
  3. ISO 37001 → Anti-bribery management systems standards

While ISO 37301 and ISO 37001 provide certifications, they only cover specific aspects of whistleblowing management. ISO 37002 is the first Global Standard to fully address whistleblowing. It applies to any type of organisation, whether private, public or non-profit, regardless of size, nature of business, or geographical location. It is a standard that only contains recommendations and best practices; it is not a certification.

Legislation and ISO 37002 guidelines: what’s the difference?

ISO 37002 is a voluntary standard that organisations can adopt. However, for certain organisations and industries, compliance with the standard becomes a legal or contractual requirement, such as in Public Procurement and Supply Chains. Legislation tells you what you need to do, while ISO 37002 gives you a detailed list of instructions on how to do it.

ISO 37002: core principles and guidelines

Key principles and components of the standard

ISO 37002 relies on 3 core principles: trust, impartiality, and protection. Derived from these principles, the guidelines encompass three primary components:

  • Information Security
  • Assurance of anonymous communications with whistleblowers
  • Safeguarding whistleblowers

This standard puts a real emphasis on the way reports are handled and processed.

  • Myth: As long as you get more people to report wrongdoing, you will improve your business.
  • Reality: It is not just about reporting; it is about these reports being handled effectively. If not, it can result in demotivated employees, quiet quitting, or scandals.

ISO 37002 guides organisations in the management of the entire whistleblowing cycle, divided into 4 phases:

  1. Reporting of concerns of wrongdoings: Employees must receive appropriate training and information about internal reporting channels.
  2. Assessment of reports: Specific procedures must be followed for classifying communications, taking into account conflicts of interest and risk areas.
  3. Addressing reported wrongdoings: Creation of specialised channels to handle and investigate reports.
  4. Closure of reported cases: The system must provide investigative rules, adequate protection, and follow-up measures for whistleblowers.

How Whispli can help you effortlessly meet the standards

Whispli is flexible enough to adapt to any organisation’s requirements and can be up and running in just a few weeks. Features directly meeting ISO 37002 standards include:

  • Anonymity and communications: Whispli provides a safe inbox and anonymous chat features. Informants can report wrongdoing through a secure, anonymous, and user-friendly app available on web and mobile.
  • Advanced automations: * Automatic messages to informants (acknowledgments, follow-ups).
    • Email reminders to case managers.
    • Automatic triage and tagging of reports based on informant input.
  • Trusted and flexible data hosting: Whispli provides hosting options around the world, fully compliant with GDPR, PIPL, and other local laws. All Whispli platforms are ISO 27001 and SOC2 Type 1 certified.

How do organisations benefit from following ISO 37002 guidelines?

Internal benefits for organisations

By referring to ISO 37002 standards, organisations can jump-start their whistleblowing program. With employees empowered to raise concerns internally, risks are detected early and can be mitigated before they escalate. Being transparent about these processes increases employee retention and attracts top talent.

External benefits for organisations

  • Competitive advantage: Complying with ISO 37002 provides tangible proof of your organisation's commitment to ethics. These results can be included in annual ESG reporting.
  • Reputational risk: When you provide clear information about how reports are processed, you reduce the risk of issues being shared in the press or on social media.
  • Global Recognition: Adhering to these straightforward guidelines helps ensure compliance with various local laws based on globally recognised standards.

Conclusion: Moving Beyond Compliance to Culture

In 2026, a whistleblowing policy that exists only on paper is no longer just a missed opportunity—it’s a significant business risk. As global regulations like the EU Directive and Japan’s 2025 WPA amendment tighten their grip, the "how" of your reporting process becomes just as important as the "why."

ISO 37002 provides the definitive roadmap for building a system that employees actually trust, ensuring that internal concerns stay internal and are resolved with impartiality and protection. By adopting these global standards, you aren't just "checking a box"; you are building a resilient corporate culture where integrity is the default setting.

Whispli is the engine that turns these guidelines into action. From secure, anonymous chat to automated case management, we help you bridge the gap between complex ISO standards and everyday operational excellence.

Ready to take the next step?

Discover how Whispli supports whistleblowing, disclosures, and enterprise governance at scale.

Talk to an expert

Frequently asked questions about ISO 37002

Who in the organisation is involved in the implementation and management of ISO 37002?

Compliance departments or Ethics committees are usually put in charge of implementing and managing the whistleblowing program, but roles and responsibilities also lie at other levels:

  • Leadership is responsible for supporting the program by ensuring that
    • Sufficient resources are allocated to implement the platform
    • Processes are in place to prevent retaliation against whistleblowers
    • All employees are informed of Leadership's support for whistleblowing
  • Communication teams are responsible for regularly promoting the program to ensure that all employees:
    • Know how to report wrongdoings (posters, videos, etc.)
    • Have access to key information on the management of the whistleblowing program (ESG reporting, etc.)
  • HR teams are responsible for training employees per the Code of Conduct and Whistleblowing Policy, both during onboarding and regularly throughout the year.
  • Employees are responsible for complying with the organisation's whistleblowing policy, and for reporting any instance of non-compliance.

How long does it take to be compliant?

Setting up a whistleblowing program can be done very quickly, especially when following the ISO 37002 guidelines. A Whistleblowing platform can be operational in a few weeks.

However, compliance with ISO 37002 and other whistleblowing regulations is an ongoing process, not a one-time event. Organisations must reassess their program regularly to adapt to new regulations worldwide and can benefit from progressively improving their practices as they gain experience.

Can Whispli help me deploy a compliant platform?

That is all we do! When you trust Whispli with the deployment of your whistleblowing platform, you benefit from years of expertise in the setup of successful speak-up and case management solutions. Whispli has been supporting clients of all sizes, from all over the world, in all industries. We are experts at setting up platforms efficiently, providing best practices, configuration examples, and new features regularly to streamline communication with whistleblowers and report management.

Founded by a whistleblower turned compliance officer, Whispli benefits from this double experience to develop the best features and interfaces.

Most popular articles to read

May 28, 2026
 min read
Occupational Fraud 2026: What the ACFE Report to the Nations Tells Us About the State of Whistleblowing Systems
Read more
May 12, 2026
6
 min read
How Grievance Mechanisms and Worker Voice Can Help Businesses Fight Modern Slavery
Read more

Explore more resources

White paper: Secure and Anonymous Reporting in the Queensland Public Sector.
White papers
Enhancing Integrity Through Reporting Solutions in the Queensland Public Sector
Learn how reporting solutions can support Queensland’s public sector employees
White paper: Monitoring Compliance Program Metrics.
White papers
Whispli, Your Partner in Monitoring Compliance Program Metrics
Learn how to measure and improve your program’s effectiveness with key metrics
White paper: Strengthening Whistleblowing Programs for APRA CPS 230.
White papers
Strengthening Whistleblowing Programs under APRA CPS 230
Discover how to align your program with APRA CPS 230 and strengthen operational resilience
Discover our platform

Take case management to the next level

Move from fragmented reporting tools to a single, secure system of record designed for complex, global compliance environments.

Talk to our experts to see how Whispli supports whistleblowing, disclosures, and enterprise governance at scale.