The ISO37002 whistleblower management systems has been with us since last July 2021. These are guidelines or master lines that any irregularity reporting management system should comply with. In this article, we are going to highlight the key elements of ISO37002, those that seem most significant to us, especially to have a first contact with it.
ISO 37002 is not intended for complaint management software or information systems, it goes further and is aimed at the entire complaint management process, not just the software. It is not a certifiable standard . They are guidelines or recommendations that should be considered in any irregularity reporting management system, but in no case can an ISO37002 certified technological solution be found on the market.
It follows the classic structure of ISO standards: PDCA, plan / do / check / act. Where it is the organization itself that defines what it does and then does it, validates it and continuously improves it.
The European directive EU 2019/1937 on the protection of the whistleblower or also known as the “Whitsleblowing” directive is closely aligned, in relation to the whistleblowing channel, with this ISO.
Key elements of the ISO37002 standard
- Context Definition
It is key to define the scope of the complaints managed by the system. A reporting channel can manage different types of reporting: criminal compliance, ISO37301, labor compliance, European directive, prevention and money laundering, codes of conduct,… But each organization must limit its scope, and it is very important that it be clearly defined.
2. Structure of the whistleblowing or whistleblowing management system
The system under a structure of continuous improvement, must under the principles of trust, impartiality, protection and give feedback throughout the process. The structure of the process must be based on: receipt of irregularity communications , their triage or classification , the investigation of those that are within the scope of the system and finally the closure of the complaints with actions on the proposals made .
3. Leadership and management commitment
In addition to the management system itself, the management must be totally committed to the system, promoting and approving the policies of the channel, promoting communication, training and promoting the use of the system, as well as continuously monitoring it to supervise the use of the system. same . It should promote the creation of a channel policy, define its governance process. Finally, management must annually review the proper functioning of the system and establish the necessary corrective measures to ensure the success of the system and the improvement of the culture in the organization.
4. Continuous evaluation of system performance
It is necessary to define a series of objectives and indicators that must be monitored and measured, as well as the responsibility for monitoring them. Examples of indicators can be:
- # of communications received by country/department.
- Grouping by type of complaint
- Times for resolution of communications
- Periodic surveys of trust in the system
The ISO recommends carrying out internal audits to ensure the correct global functioning of the system.
If you are interested in consulting all the details of the standard, you can buy it from here in the ISO organization.
Other ISO standards related to the whistleblower management system
In addition to this standard, 37002, which clearly defines the keys to the operation of a good reporting channel, there are some related standards that have an impact on reporting channels. We would highlight ISO 37301, which focuses on criminal compliance and requires a complaints channel for its correct implementation, and ISO 27001 on information security. Information security is one of the critical elements today and is especially important for complaint channels, which is why it is highly recommended to seek certified solutions in this standard.
A channel that complies with ISO 37002 and ISO 27001
in ithikios, we have created a channel for reporting irregularities based on ISO 37002, in the part that affects the technology of the channel and that facilitates compliance with the standard in the rest of the system and is also certified in ISO 27001 on security of the information, so that customers are calm.