Best practice for
whistleblowing systems
28. July 2021

ISO standard for whistleblowing systems

The Federal Ministry of Justice is currently working on the implementation of the EU Whistleblower Protection Directive. The new law is intended to prevent whistleblowers from suffering disadvantages after reporting violations of the law. In the future, companies must offer a reporting channel that guarantees identity protection to protect whistleblowers. How companies implement the regulatory requirements and operate the system is up to them. ISO standard 37002 offers a best practice recommendation.

Whistleblowers make an important contribution to exposing wrongdoing. So far, however, whistleblowers are insufficiently protected by law. Serious risks are job loss, mobbing or financial disadvantages. In companies, whistleblowers are caught between their duties under labour law and the public interest in uncovering violations of the law. A new law aims to resolve this tension: In future, companies with 250 or more employees must provide a reporting channel that guarantees identity protection for the whistleblower. The form in which the reporting channel is implemented is up to the organisations.

Benefits for the company

The legal obligation to establish a reporting channel should not be seen exclusively as a burden for companies. A whistleblower system that guarantees identity protection motivates whistleblowers to disclose their information. Information that points to wrongdoing is essential to avert or contain damage at an early stage. Another benefit of identity protection: Whistleblowers suffer no disadvantage by reporting internally first. It is always advantageous for a company if employees forward their information to the internal unit instead of informing the authorities or the press. If no internal channel is available that the whistleblower considers safe, he or she will in many cases choose the less risky, external channel.

ISO standard as best practice guide

The benefits for the company are not self-generating. A whistleblowing system is effective if the operational business works. This includes employee communication when the system is introduced, orderly processing of incoming cases, and clear responsibilities for assessing and following up on a report. The ISO 37002 standard, which has not yet been published but is already available in draft form, can be used by companies as a guide. It complements the EU Directive by formulating best practice for the operational management of whistleblowing systems. The EU Directive focuses on the “what” (setting up a reporting channel, meeting response deadlines) and the “why” (protecting whistleblowers, detecting EU law violations). The ISO standard is more concerned with the “how”. The focus is on how companies can operate a whistleblowing system in such a way that it optimally contributes to uncovering and correcting misconduct.

Practical recommendations

The ISO standard provides recommendations that help companies organise the operational work with the system. What resources do companies need to operate a whistleblowing system? And who is suitable for case management? The standard answers questions that arise at the beginning of a system implementation as well as questions on how to deal with incoming tips: How do you classify cases and how do you evaluate them? In a practical manner, often summarised in compact lists of indents, the standard gives recommendations on what to consider when receiving, assessing, handling and closing cases.


The EU Whistleblower Directive will help to ensure that whistleblowers can report wrongdoing without having to fear disadvantages. In order for companies to benefit from these reports and correct the misconduct, those responsible must define processes in advance for how cases will be handled and by whom. The ISO 37002 standard provides practical recommendations on what companies should consider when introducing a whistleblowing system and operating it profitably.

mehr erfahren

ISO standard – Best practice for whistleblowing systems

ISO standard - Best practice for whistleblowing systems