ISO TS 37008-2023 PDF

Full title and description

ISO/TS 37008:2023 — Internal investigations of organizations — Guidance. Technical Specification providing practical, organization‑level guidance for planning, conducting, reporting and following up internal investigations into alleged or suspected wrongdoing, misconduct or non‑compliance. It is intended to help organizations establish policies, procedures and controls to ensure investigations are lawful, objective, confidential and proportionate.

Abstract

This technical specification gives guidance on internal investigations within organizations, including the principles that should govern investigations; management and operational support; establishment of policies, procedures, processes and standards for carrying out and reporting investigations; reporting of results; and the application of remedial measures. It is applicable to all organizations regardless of type, size, location, structure or purpose (see Annex A for guidance on use).

General information

• Status: Published.
• Publication date: July 2023 (published 28 July 2023 in several distributions).
• Publisher: International Organization for Standardization (ISO) / ISO/TC 309.
• ICS / categories: 03.100.02 (Governance and ethics / organizational governance).
• Edition / version: Edition 1 / Technical Specification (ISO/TS 37008:2023).
• Number of pages: 24 pages (first edition).

Details above are taken from the ISO bibliographic record and public standard catalogues.

Scope

Provides guidance for the full lifecycle of an internal investigation in organizations: pre‑investigation arrangements (policy, governance and resourcing), intake and scoping, evidence collection and preservation (including electronic evidence), interviews and fact‑finding, analysis and reporting, remedial measures and follow‑up, and consideration of legal/regulatory engagement. The document is written generically so it can be adapted to different organizational types and jurisdictions.

Key topics and requirements

• Five fundamental principles to apply throughout investigations: independent; confidential; competent and professional; objective and impartial; legal and lawful.
• Governance and management support: establishing investigation policies, roles, authorities, resourcing and reporting lines.
• Preliminary assessment and scoping: triage, risk assessment, proportionality and determining whether a formal investigation is required.
• Evidence handling: preservation, chain of custody, secure storage and appropriate use of electronic evidence and forensics.
• Investigation procedures: investigation team appointment, planning, documentation, interview preparation and conduct, and record‑keeping.
• Reporting: structure and content of investigation reports, findings, conclusion, recommended remedial actions and confidentiality considerations.
• Remedial measures and follow‑up: interim actions, corrective actions, monitoring, discipline and lessons learned.
• Stakeholder engagement: communications (internal and external), regulatory reporting/self‑disclosure and protection of reporters/whistleblowers.
• Legal, privacy and liability considerations: ensuring investigations comply with applicable law and respect data protection and employment rights.
• Practical guidance in Annex A on tailoring and applying the TS in different contexts.

These topics and requirements are summarized from the published specification and practical commentaries.

Typical use and users

Used by compliance functions, legal teams, HR, internal audit, security/forensics teams, governance or risk committees, and senior management to design or improve internal investigation policies and procedures. Applicable for organizations from SMEs to multinational corporations that need consistent, legally sound processes for investigating suspected misconduct (e.g., fraud, bribery, harassment, regulatory breaches). It is also used as a complementary guidance document alongside compliance, anti‑bribery and whistleblowing standards.

Related standards

Commonly referenced and used alongside: ISO 37001 (Anti‑bribery management systems), ISO 37002 (Whistleblowing management systems), ISO 37301 (Compliance management systems), and other ISO/TC 309 governance guidance such as ISO 37000 (Governance of organizations). The TS is positioned to support implementation and operation of compliance, anti‑bribery and whistleblowing arrangements.

Keywords

internal investigation, investigation procedures, governance, compliance, evidence preservation, interviews, report writing, remedial actions, confidentiality, whistleblower protection, ISO/TC 309

FAQ

Q: What is this standard?

A: ISO/TS 37008:2023 is a Technical Specification providing guidance on planning, conducting, reporting and following up internal investigations within organizations. It is not a certifiable management‑system standard but a practical guidance document.

Q: What does it cover?

A: It covers the full investigation lifecycle: governance and policies; intake, scoping and planning; evidence collection and preservation (including digital forensics); interview techniques and record‑keeping; reporting of findings; remedial measures and monitoring; and legal/privacy considerations.

Q: Who typically uses it?

A: Compliance officers, in‑house legal counsel, HR investigators, internal audit, security/forensics teams, risk and governance functions, and senior leaders who need standardized and defensible internal investigation practices.

Q: Is it current or superseded?

A: Current — first published in July 2023 (published distribution shows 28 July 2023) and listed as the 2023 Technical Specification (Edition 1). As an ISO document it will be subject to periodic review; the ISO record indicates the usual systematic review lifecycle.

Q: Is it part of a series?

A: It is part of the body of governance and compliance guidance developed by ISO/TC 309 and is designed to complement standards such as ISO 37001 (anti‑bribery), ISO 37002 (whistleblowing), and ISO 37301 (compliance management). Organizations often implement these standards together to strengthen governance, compliance and investigative capability.

Q: What are the key keywords?

A: internal investigations; governance; compliance; evidence preservation; interviews; reporting; remedial measures; confidentiality; whistleblower protection; ISO/TS 37008:2023.