ISO 37002:2021 guidance alignment map #
ISO 37002:2021 Whistleblowing management systems — Guidelines is the international standard for how an organization should receive, assess, address, and conclude reports of wrongdoing. It is the best-practice companion to the legal obligation in EU Directive 2019/1937 : the Directive says you must operate an internal reporting channel; ISO 37002 describes what a good one looks like.
ISO 37002 is a guidelines standard, not a requirements standard. No organization and no platform can be certified against it — it carries recommendations, not auditable requirements. Any vendor claim of “ISO 37002 certification” is, strictly, inaccurate. The honest position any provider can hold is alignment with the guidance. This page is that alignment, stated openly and clause by clause.
EthicsPortal does not hold, and does not claim, certification against any ISO 37002-related standard. When EthicsPortal pursues accredited certification against a certifiable standard, the certificate scope and date will be published on /trust/ .
Last updated: 2026-06-18.
Who operates what: the shared-responsibility boundary #
ISO 37002 is written for the organization that operates a whistleblowing management system — in EthicsPortal’s model, that is the customer (the controller). EthicsPortal is the software and infrastructure the customer uses to run that system; in GDPR terms, the processor.
That split matters for reading this page. The management-system clauses — leadership commitment, organizational culture, internal audit, management review — are operated by the customer organization and cannot be discharged by software. What EthicsPortal can do is provide the operational machinery the standard’s process clauses describe (Clause 8: receiving, assessing, addressing, concluding) and enable the surrounding management-system clauses with configurable tooling, records, and generated policy documents.
| Status | Meaning |
|---|---|
| Provided | EthicsPortal implements this directly as a product capability; the customer gets it by operating the portal |
| Enabled | The customer operates this clause as part of their management system; EthicsPortal supplies the tooling, configuration, records, or evidence that supports conformance |
| Self-assessed | Provided substantively as the clause describes, but not independently audited |
| Customer responsibility | Operated entirely within the customer organization, outside the software (e.g. leadership tone, staff culture); EthicsPortal documents the boundary so the gap is not mistaken for a product gap |
The companion documents this page cites:
- Directive 2019/1937 coverage map — article-by-article legal mapping that overlaps heavily with ISO 37002 Clause 8
- Directive interpretations — how the ambiguous provisions are read
- Product — the reporting, handler, and case-management surfaces referenced below
- Security — technical and organizational measures behind the protection guarantees
- ISO/IEC 27001:2022 Annex A control map — the information-security substrate ISO 37002 §7 relies on
Guiding principles (Clause 4.4) #
ISO 37002 builds the whole system on a small set of principles. The three that bear directly on the software:
| Principle | Status | How EthicsPortal supports it |
|---|---|---|
| Trust | Provided | Reporters get a secure, unique portal per organization, acknowledgement of receipt, and a tracked channel for two-way communication — so reporting is credible and visibly acted on. The audit trail makes handling demonstrable to the reporter and to auditors |
| Impartiality | Enabled | A handler with a conflict steps off by reassigning the case and recording the reason in an internal, audit-logged note — the procedure the case-handler manual prescribes. Admins control assignment, and a read-only viewer role lets an independent party or legal counsel review the case and its audit trail without altering it |
| Protection | Provided | Reporter confidentiality is enforced in the data model: anonymous reporting collects no identity at all; in identified reporting the identity fields are encrypted at rest; no reporter IP address is stored; metadata is stripped from uploads; oral-report audio is pitch-shifted locally and the raw recording purged; and the handler’s name is withheld from the reporter (shown as “Case handler”) (Security ). Protection from detriment is supported too: a reporter can flag a follow-up as being about retaliation, raising a prominent handler alert |
Clause 5 — Leadership and commitment #
| Clause | Title | Status | How EthicsPortal addresses it |
|---|---|---|---|
| 5.1 | Leadership and commitment | Customer responsibility | Top-management commitment is set inside the customer organization. EthicsPortal makes the commitment operable: the portal is the visible artifact of that commitment, deployed under the organization’s own branding |
| 5.2 | Whistleblowing policy | Enabled | The customer adopts the policy; the portal presents a standard report-category taxonomy and is deployed under the organization’s own branding, and the published Directive coverage map gives the customer a drafting reference |
| 5.3 | Roles, responsibilities and authorities | Enabled | Three-role RBAC (admin / member / viewer) lets the customer assign handling authority and a read-only audit role; assignment and reassignment are recorded in the audit log |
Clause 6 — Planning #
| Clause | Title | Status | How EthicsPortal addresses it |
|---|---|---|---|
| 6.1 | Actions to address risks and opportunities | Customer responsibility | Risk identification for the customer’s own reporting system is theirs; EthicsPortal’s platform-level risk posture is published separately in the risk register |
| 6.2 | Whistleblowing management system objectives | Enabled | Case status, deadline tracking, and exportable records give the customer the measurement base to set and track objectives (e.g. acknowledgement and feedback timeliness) |
Clause 7 — Support #
| Clause | Title | Status | How EthicsPortal addresses it |
|---|---|---|---|
| 7.1 | Resources | Enabled | The platform is the operational resource for the reporting channel; EU hosting, backup, and continuity are documented on Trust and the business continuity plan |
| 7.2 | Competence | Customer responsibility | Handler competence is developed by the customer; EthicsPortal keeps the handler interface simple enough that handling does not require specialist software training |
| 7.3 | Awareness | Customer responsibility | Staff awareness campaigns are the customer’s to run; the portal is the reporter-facing surface those campaigns point to |
| 7.4 | Communication | Provided | Two-way communication between handler and reporter is built in and preserves anonymity — the reporter can respond and receive feedback without ever revealing identity, and (when they chose to leave an address) is notified by email of new handler messages |
| 7.5 | Documented information | Provided | Every action is captured in an append-only audit log; cases export to a PDF record; retention is configurable and country-minimum enforced (Security ) |
Clause 8 — Operation (the core process) #
Clause 8 is where ISO 37002 stops being a management-system frame and describes the actual handling lifecycle. This is the clause EthicsPortal implements most directly, and it overlaps heavily with Articles 8–9 of the Directive — see the Directive coverage map for the legal mirror of the same capabilities.
8.2 Receiving reports of wrongdoing #
| Guidance area | Status | How EthicsPortal addresses it |
|---|---|---|
| Multiple, accessible reporting channels | Provided | Web portal (any device, no app or account required) plus an oral-reporting voice channel; reports are filed against a standard report-category taxonomy |
| Anonymous and identified reporting | Provided | The reporter chooses anonymous (no identity collected) or identified (identity fields encrypted at rest); either way a 6-digit passcode (bcrypt-hashed, non-recoverable) lets the reporter return to their case; no reporter IP address is stored |
| Acknowledgement of receipt | Provided | The reporter sees an immediate on-screen submission receipt; the Directive’s 7-day acknowledgement of receipt is a tracked handler obligation, with due-soon and overdue cases surfaced on the handler dashboard |
| Secure intake | Provided | Encrypted transport and at-rest field encryption; metadata stripped from uploaded files; uploads virus-scanned and gated until clean (Security ) |
8.3 Assessing reports of wrongdoing #
| Guidance area | Status | How EthicsPortal addresses it |
|---|---|---|
| Initial assessment and triage | Provided | The handler sets a case priority (low/normal/high/urgent) at assessment, recorded in the audit trail; category, status, and case fields support triage |
| Managing conflicts of interest | Enabled | A handler who identifies a conflict reassigns the case and records the reason in an internal, audit-logged note, as the case-handler manual instructs; reassignment is itself recorded in the audit trail. The read-only viewer role supports independent oversight. The control is the documented procedure plus these primitives, not a dedicated recusal widget |
| Deciding the handling route | Customer responsibility | Whether a report is investigated internally, escalated, or referred is the customer’s decision; the case record captures the decision and its timestamp |
8.4 Addressing reports of wrongdoing #
| Guidance area | Status | How EthicsPortal addresses it |
|---|---|---|
| Investigation and follow-up | Enabled | Case workflow tracks status through handling; the handler can request more information from an anonymous reporter and document findings against the case |
| Protecting the whistleblower | Provided | The handler’s name is withheld from the reporter (“Case handler”); reporter identity, when given, is encrypted at rest; access is scoped by role. The reporter can flag retaliation at intake or on any later follow-up, which raises a prominent handler alert (Art. 19 detriment). Note: GDPR Art. 14 notice to third parties named in a report is the customer’s (controller’s) responsibility — the platform does not automate it |
| Communication with the reporter during handling | Provided | The two-way anonymous channel stays open through the life of the case |
8.5 Concluding whistleblowing cases #
| Guidance area | Status | How EthicsPortal addresses it |
|---|---|---|
| Providing feedback to the reporter | Provided | The 3-month feedback obligation is tracked; feedback is delivered through the same anonymous channel |
| Closing the case and recording the outcome | Provided | Case closure with recorded outcome; the full handling history is preserved in the audit log and the PDF case export |
| Record retention and disposal | Provided | Configurable retention (12/24/36/48/60 months, country-minimum enforced); 18-month inactivity auto-close starts the retention clock; data export and deletion on contract exit per the DPA (Security ) |
Clause 9 — Performance evaluation #
| Clause | Title | Status | How EthicsPortal addresses it |
|---|---|---|---|
| 9.1 | Monitoring, measurement, analysis and evaluation | Enabled | An exportable compliance report aggregates the programme: report volumes (open/closed), acknowledgement and feedback on-time rates with currently-overdue counts, a breakdown of reports by priority and by category, a breakdown of closed reports by outcome, and audit-trail activity. Case status and deadline tracking surface the same data live |
| 9.2 | Internal audit | Enabled | The read-only viewer role lets an internal auditor or external reviewer inspect cases and the audit trail without altering them |
| 9.3 | Management review | Customer responsibility | Conducted by the customer’s management; the exportable compliance report — volumes, SLA timeliness, priority/category/outcome breakdowns, audit-trail activity — is the artifact that feeds the review |
Clause 10 — Improvement #
| Clause | Title | Status | How EthicsPortal addresses it |
|---|---|---|---|
| 10.1 | Nonconformity and corrective action | Customer responsibility | Corrective action on the customer’s own system is theirs; platform-level incidents affecting the service are recorded openly in the incident register |
| 10.2 | Continual improvement | Enabled | Product changes that affect the handling lifecycle are released continuously; material changes are noted in the revision history of the relevant evidence pages |
Summary #
ISO 37002 splits cleanly along the software/operator boundary:
- Clause 8 (the handling lifecycle) — receiving, assessing, addressing, and concluding reports — is where EthicsPortal does the substantive work, and most of it is Provided directly by the product.
- Clauses 5–7, 9–10 (the management-system frame) — leadership, planning, performance evaluation, improvement — are operated by the customer organization, with EthicsPortal supplying the tooling, records, and evidence that make conformance achievable.
The honest summary a procurement reviewer should take away: EthicsPortal is the infrastructure on which a customer’s ISO 37002-aligned whistleblowing management system runs. The software cannot make an organization conform on its own — no software can — but it provides the operational core the standard describes, and it does not overstate the position by claiming a certification that the standard does not offer.
Related standards: where the channel fits #
ISO 37002 governs the whistleblowing channel itself. Two adjacent management-system standards require such a channel as one of their clauses, and EthicsPortal is the component that satisfies that clause:
- ISO 37301:2021 (Compliance management systems) — §8.3 Raising concerns requires an accessible reporting process that allows anonymous reporting, keeps reports confidential, ensures concerns are addressed, and protects reporters from retaliation.
- ISO 37001 (Anti-bribery management systems) — §8.9 Raising concerns requires a procedure to report suspected or actual bribery, with confidentiality, anonymous reporting, and protection from retaliation.
EthicsPortal is the raising-concerns / speak-up component of either system — the operational channel those standards oblige the organization to provide. It does not, on its own, constitute a compliance or anti-bribery management system: those are far broader (obligations registers, compliance risk assessment, controls across every compliance domain) and are operated by the organization itself.
Unlike ISO 37002, both 37301 and 37001 are certifiable requirements standards — but certification belongs to the organization that runs the management system, not to a software tool used within it. A vendor’s 37301/37001 certificate attests to how that vendor runs its own compliance function; it does not transfer to the customer’s system or describe what the software does.
Document control #
| Field | Value |
|---|---|
| Document title | EthicsPortal ISO 37002:2021 Guidance Alignment Map |
| Version | 1.0 |
| Effective date | 2026-06-18 |
| Last reviewed | 2026-06-18 |
| Next scheduled review | 2027-06-18 |
| Review trigger (interim) | Material change to the report-handling lifecycle (intake, assessment, communication, closure, or retention); publication of a revised ISO 37002 |
| Owner | Yaroslav Shmarov, operator |
This page is not an attestation of certification — ISO 37002 does not offer one. It is a self-assessment of how the Service aligns with the standard’s guidance. Material discrepancies between this page and the actual operation of the Service should be reported to support@ethicsportal.eu .
Last updated: