ISMS-DOC-A05-4-1 Information Security Whistleblowing Policy
ISO/IEC 27001 Toolkit: Version 13
Information Security Whistleblowing Policy
Implementation guidance
The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document
This document sets out guidance for information security whistleblowers and how this type of whistleblowing will be managed within the organization.
Areas of the standard addressed
The following areas of the ISO/IEC 27001 standard are addressed by this document:
• A.5 Organizational controls
o A.5.4 Management responsibilities
General guidance
A Whistleblowing Policy is not explicitly required by ISO27001 but is certainly relevant to this control. Whistleblowing is increasingly covered by legislation in various countries, including the EU, UK and USA, and you will need to ensure that your policy meets your legal obligations. The emphasis in the ISO27001 standard is on information security matters, and this policy is specifically written to apply to concerns in this area. You could choose to make it more general to cover whistleblowing across all areas of the organization as the principles will be the same
Review frequency
We would recommend that this document is reviewed annually.
Document fields
This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.
To update this field (and any others that may exist in this document):
1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.
2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).
3. Press F9 on the keyboard to update all fields.
4. When prompted, choose the option to just update TOC page numbers.
If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.
If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.
Further detail on the above procedure can be found in the toolkit Completion Instructions This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.
If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer
Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will
create your own document and to which you will apply all reasonable quality checks before use.
Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.
You should take all reasonable and proper legal and other professional advice before using this document.
CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Information Security Whistleblowing Policy [Insert classification]
Information Security Whistleblowing Policy
DOCUMENT CLASSIFICATION [Insert classification]
DOCUMENT REF ISMS-DOC-A05-4-1
VERSION 1
DATED [Insert date]
DOCUMENT AUTHOR [Insert name]
DOCUMENT OWNER [Insert name/role]
date]
Distribution NAME
Approval
1 Introduction
[Organization Name] accepts that there is a risk that sometimes, despite its best efforts, there may be violations of its information security policy or other actions taken by its personnel which could represent malpractice or be contrary to public interest or applicable legislation. By encouraging a culture of openness, it may be feasible to both prevent such occurrences in the first place, and to address them when and if they do happen. This may only be possible if people are willing to come forward to raise concerns, safe in the knowledge that by doing so, they will not be risking victimisation or the loss of their job. The act of coming forward, referred to as “whistleblowing”, is encouraged within [Organization Name] and protection is provided to ensure that concerns can be raised in a confidential manner.
Whistleblowers are protected by law in many countries, including:
• Within the European Union, by the European Whistleblower Protection Directive
• In the UK, by the Public Interest Disclosure Act and the Employment Rights Act
• At the federal level in the USA, by the Whistleblower Protection Act
• By the Public Interest Disclosure Act in Australia
• [State relevant laws for the countries in which your organization operates – note that some legislation may only apply in specific sectors, for example public sector]
It is [Organization Name]’s duty to comply with relevant legislation with regard to whistleblowing.
The purpose of this document is to describe [Organization Name]’s policy with respect to whistleblowing in the area of information security. Note that concerns regarding areas other than information security are covered in separate policies.
This policy applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems.
The intended audience for this policy is all employees and other interested parties of [Organization Name]
Failure to comply with the contents of this policy may result in disciplinary action being taken by [Organization Name] against the individual(s) concerned.
Terms used in this policy are defined as follows:
• Whistleblowing is defined as the reporting of suspected or actual wrongdoing by a whistleblower.
• Wrongdoing means an action(s) or omission(s) that can cause harm.
• Whistleblower means a person who reports suspected or actual wrongdoing, and has reasonable belief that the information is true at the time of reporting.
Information Security Whistleblowing Policy [Insert classification]
• Reasonable belief means a belief held by an individual based on observation, experience or information known to that individual, which would also be held by a person in the same circumstances.
(These definitions are taken from ISO 37002 – Whistleblowing management systems –Guidelines).
The following ISMS documents and external references are relevant to this document:
• Acceptable Use Policy
• Information Security Event Reporting Procedure
• Privacy and Personal Data Protection Policy
• ISO 37002 – Whistleblowing management systems – Guidelines
Information Security Whistleblowing Policy [Insert classification]
2 Information security whistleblowing policy
2.1 Who can raise a concern
Under this whistleblowing policy, concerns may be raised by any employee or other interested party of [Organization Name] This includes suppliers, customers, partners and temporary personnel.
2.2 Types of relevant concern
Concerns may be raised about any information security-related matter. Examples of actual or potential wrongdoing could include:
• Actual or potential legal violations, for example of data protection law
• Noncompliance with information security policy
• Inadequate information security controls
• Breaches that have not been handled or reported appropriately
• Suspicions about various forms of malpractice, including fraud and corruption affecting information security within [Organization Name]
Whistleblowing does not include personal grievances (such as bullying, harassment or discrimination) affecting the individual making the complaint, which should be raised via normal management channels or using the grievance procedure.
2.3 How to raise a concern
Concerns should be raised confidentially to your immediate line manager in the first instance. This may be done via any reasonable method, including verbally, via email or in writing.
If you feel that it is inappropriate to raise the concern with your line manager, you may approach their manager directly, or another person within the organization who is particularly relevant to the concern, for example the Chief Information Security Officer (CISO).
In a case where you do not feel that this is appropriate, you may report your concern to a member of the Executive Team.
Although still permitted, whistleblowers are encouraged not to submit reports anonymously as this makes their investigation more difficult and may result in legal protections not being applicable.
2.4 Information required when raising a concern
When raising a concern, sufficient detail will need to be provided to allow it to be investigated and verified. This will typically include:
• Dates and times of relevant events
• Names of people involved
• A full description of what is understood to have happened, or could happen
• Any other information useful to an investigation
Care should be taken to ensure the accuracy of the information provided, and evidence should be included where possible, although this is not essential.
2.5 Confidentiality and support for whistleblowers
It is a fundamental principle of this policy and of relevant legal protection that the whistleblower should not suffer negative consequences, such as victimisation, demotion or loss of employment, through their actions.
Whistleblowing reports will be kept confidential and the identity of the person making the report will not be made known except to those involved in the investigation. If it becomes impossible to maintain confidentiality, this will be discussed with the whistleblower first.
Where appropriate, access to advice and counselling services will be made available to the whistleblower during the investigation.
The whistleblower may be accompanied at meetings by a colleague or trade union representative if they choose to do so.
2.6 Handling of concerns raised
It will be the responsibility of the person to whom the concern was raised to either investigate it directly, or to raise it confidentially with an appropriate person. Depending on the issue, a more in-depth formal investigation may result.
Whistleblowing reports must be dealt with consistently and fairly.
The person raising the concern (the whistleblower) will be kept informed regarding the progress and results of investigations, unless this is not permitted for third party confidentiality reasons.
Where appropriate, independent subject matter experts may be called upon to conduct the investigation and liaise with the whistleblower.
2.7 External Disclosures
It is [Organization Name] policy to encourage the reporting of concerns internally, so that the organization has an opportunity to handle the matter in the most appropriate way. In the event that a whistleblower feels justified in reporting the concern outside of the organization, they should at first consider bodies that have a regulatory role in our industry. This will help to ensure that legal protections for the whistleblower remain applicable.
Reporting concerns directly to the media or making them public via the Internet without following internal procedures may be seen as an unreasonable route and so result in disciplinary action being taken. This may also limit the legal protection available to the whistleblower.
2.8 Legal rights regarding whistleblowing
The legal obligations of [Organization Name] with regard to whistleblowing vary according to the country involved.
Within the European Union, the organization has a responsibility to:
• Acknowledge receipt of a whistleblower report within a seven-day period
• Provide prompt and appropriate feedback to the whistleblower during the investigation
• Complete the investigation of the concern within 90 days of the filing of the report
• Ensure comprehensive records of the investigation are maintained
[Add legal obligations within the countries in which your organization operates].
2.9 Malicious whistleblowing
Whistleblowing reports must be made in good faith and in a reasonable belief that the information provided is true. Reports made with malicious intent may be subject to disciplinary action.
