ISMS-DOC-A05-4-1 Information Security Whistleblowing Policy

Information Security Whistleblowing Policy

[Insert classification]

Implementation guidance

The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.

Purpose of this document

This document sets out guidance for information security whistleblowers and how this type of whistleblowing will be managed within the organization.

Areas of the standard addressed

The following areas of the ISO/IEC 27001 standard are addressed by this document:

A.5 Organizational controls

A.5.4 Management responsibilities

General guidance

A Whistleblowing Policy is not explicitly required by ISO27001 but is certainly relevant to this control. Whistleblowing is increasingly covered by legislation in various countries, including the EU, UK and USA, and you will need to ensure that your policy meets your legal obligations. The emphasis in the ISO27001 standard is on information security matters, and this policy is specifically written to apply to concerns in this area. You could choose to make it more general to cover whistleblowing across all areas of the organization as the principles will be the same.

Review frequency

We would recommend that this document is reviewed annually.

Document fields

This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.

Information Security Whistleblowing Policy

[Insert classification]

To update this field (and any others that may exist in this document):

1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.

2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).

3. Press F9 on the keyboard to update all fields.

4. When prompted, choose the option to just update TOC page numbers.

If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.

If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.

Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.

Copyright notice

Except for any specifically identified third party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Licence terms

This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.

If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.

Disclaimer

Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will

Information Security Whistleblowing Policy

[Insert classification]

create your own document and to which you will apply all reasonable quality checks before use.

Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.

You should take all reasonable and proper legal and other professional advice before using this document.

CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Information Security Whistleblowing Policy

Information Security Whistleblowing

Revision history

Information Security Whistleblowing Policy

classification]

Distribution

Approval

Information Security Whistleblowing Policy

[Insert classification]

1 Introduction

[Organization Name] accepts that there is a risk that sometimes, despite its best efforts, there may be violations of its information security policy or other actions taken by its personnel which could represent malpractice or be contrary to public interest or applicable legislation. By encouraging a culture of openness, it may be feasible to both prevent such occurrences in the first place, and to address them when and if they do happen. This may only be possible if people are willing to come forward to raise concerns, safe in the knowledge that by doing so, they will not be risking victimisation or the loss of their job. The act of coming forward, referred to as “whistleblowing”, is encouraged within [Organization Name] and protection is provided to ensure that concerns can be raised in a confidential manner.

The purpose of this document is to describe [Organization Name]’s policy with respect to whistleblowing in the area of information security. Note that concerns regarding areas other than information security are covered in separate policies.

Whistleblowers are protected by law in many countries, including:

• Within the European Union, by the European Whistleblower Protection Directive

• In the UK, by the Public Interest Disclosure Act and the Employment Rights Act

• At the federal level in the USA, by the Whistleblower Protection Act

• By the Public Interest Disclosure Act in Australia

• [State relevant laws for the countries in which your organization operates note that some legislation may only apply in specific sectors, for example public sector]

It is [Organization Name]’s duty to comply with relevant legislation with regard to whistleblowing.

The following policies and procedures are relevant to this document:

Information Security Whistleblowing Policy

classification]

2 Information security whistleblowing policy

2.1 Whistleblowing definition

Whistleblowing is defined as the reporting of suspected or actual wrongdoing by a whistleblower.

Further definitions to support this are as follows:

• Wrongdoing action(s) or omission(s) that can cause harm

• Whistleblower a person who reports suspected or actual wrongdoing, and has reasonable belief that the information is true at the time of reporting

• Reasonable belief a belief held by an individual based on observation, experience or information known to that individual, which would also be held by a person in the same circumstances

(These definitions are taken from ISO 37002 Whistleblowing management systems Guidelines).

2.2 Who can raise a concern

Under this whistleblowing policy, concerns may be raised by any employee or other interested party of [Organization Name] This includes suppliers, customers, partners and temporary personnel.

2.3 Types of relevant concern

Concerns may be raised about any information security related matter. Examples of actual or potential wrongdoing could include:

• Actual or potential legal violations, for example of data protection law

• Noncompliance with information security policy

• Inadequate information security controls

• Breaches that have not been handled or reported appropriately

• Suspicions about various forms of malpractice, including fraud and corruption affecting information security within [Organization Name]

Whistleblowing does not include personal grievances (such as bullying, harassment or discrimination) affecting the individual making the complaint, which should be raised via normal management channels or using the grievance procedure.

Information Security Whistleblowing Policy

[Insert classification]

2.4 How to raise a concern

Concerns should be raised confidentially to your immediate line manager in the first instance. This may be done via any reasonable method, including verbally, via email or in writing.

If you feel that it is inappropriate to raise the concern with your line manager, you may approach their manager directly, or another person within the organization who is particularly relevant to the concern, for example the Chief Information Security Officer (CISO).

In a case where you do not feel that this is appropriate, you may report your concern to a member of the Executive Team.

Although still permitted, whistleblowers are encouraged not to submit reports anonymously as this makes their investigation more difficult and may result in legal protections not being applicable.

2.5 Information required when raising a concern

When raising a concern, sufficient detail will need to be provided to allow it to be investigated and verified. This will typically include:

• Dates and times of relevant events

• Names of people involved

• A full description of what is understood to have happened, or could happen

• Any other information useful to an investigation

Care should be taken to ensure the accuracy of the information provided, and evidence should be included where possible, although this is not essential

2.6 Confidentiality and support for whistleblowers

It is a fundamental principle of this policy and of relevant legal protection that the whistleblower should not suffer negative consequences, such as victimisation, demotion or loss of employment, through their actions.

Whistleblowing reports will be kept confidential and the identity of the person making the report will not be made known except to those involved in the investigation. If it becomes impossible to maintain confidentiality, this will be discussed with the whistleblower first

Where appropriate, access to advice and counselling services will be made available to the whistleblower during the investigation.

Information Security Whistleblowing Policy

[Insert classification]

The whistleblower may be accompanied at meetings by a colleague or trade union representative if they choose to do so.

2.7 Handling of concerns raised

It will be the responsibility of the person to whom the concern was raised to either investigate it directly, or to raise it confidentially with an appropriate person. Depending on the issue, a more in depth formal investigation may result.

Whistleblowing reports must be dealt with consistently and fairly.

The person raising the concern (the whistleblower) will be kept informed regarding the progress and results of investigations, unless this is not permitted for third party confidentiality reasons.

Where appropriate, independent subject matter experts may be called upon to conduct the investigation and liaise with the whistleblower.

2.8 External Disclosures

It is [Organization Name] policy to encourage the reporting of concerns internally, so that the organization has an opportunity to handle the matter in the most appropriate way. In the event that a whistleblower feels justified in reporting the concern outside of the organization, they should at first consider bodies that have a regulatory role in our industry. This will help to ensure that legal protections for the whistleblower remain applicable.

Reporting concerns directly to the media or making them public via the Internet without following internal procedures may be seen as an unreasonable route and so result in disciplinary action being taken. This may also limit the legal protection available to the whistleblower.

2.9 Legal rights regarding whistleblowing

The legal obligations of [Organization Name] with regard to whistleblowing vary according to the country involved.

Within the European Union, the organization has a responsibility to:

• Acknowledge receipt of a whistleblower report within a seven day period

• Provide prompt and appropriate feedback to the whistleblower during the investigation

• Complete the investigation of the concern within 90 days of the filing of the report

Information Security Whistleblowing Policy

[Insert classification]

Ensure comprehensive records of the investigation are maintained

[Add legal obligations within the countries in which your organization

2.10Malicious whistleblowing

Whistleblowing reports must be made in good faith and in a reasonable belief that the information provided is true. Reports made with malicious intent may be subject to disciplinary action.