What you need to know about the new ISO Standard for Internal Investigation

The International Organization for Standardization, on July 28, 2023, published a standard for internal investigations (the “ISO Standard”)^[1], after two years of work and discussions by leading experts worldwide.

The ISO standard is aimed at providing objective criteria and guidelines to help organizations in conducting internal investigations properly and reflects best practices and tested methods from all over the world. As a global and general standard, it is suitable to be used by any organization, regardless of corporate structure, country, or size and the issues to be investigated.

The ISO standard is certainly a useful tool also for Italian companies in those cases where corporate criminal liability may arise, and internal investigations are managed by external lawyers in compliance with the provisions of the Italian Code of Criminal Procedure^[2] (so called “defensive investigations”). The ISO standard complements the existent legal framework by helping to create an investigation process.

Below is a brief overview of the main features of the ISO Standard that companies need to know to conduct effective internal investigations.

ISO Standard: Key principles

Firstly, the ISO Standard provides a list of principles to be followed to conduct a successful internal investigation. Mainly, the investigation shall be led by a professional and properly trained investigator or lawyer, in compliance with applicable law. Particular attention must be paid to confidentiality regarding both the parties involved and the case as a whole.

The ISO Standard also highlights the need for support from management of the involved entity during the internal investigation. It then provides a series of guidelines for handling sensitive matters, such as:

• instituting anti-retaliation measures in order to create a safe environment for employees participating in the investigation;
• issuing strong company investigation policies and procedures: indeed, a well-built policy is crucial for employees, management and the different corporate functions to have a better understating on when a defensive investigation shall be initiated, the do’s and don’ts, as well as their roles and the steps to be followed. Furthermore, policies shall also cover in a clear and punctual manner IT and data protection aspects for companies to be able to carry out email review without incurring in potential breaches of data protection rules;
• ensuring that the investigation is fair, while keeping organization and management informed.

ISO Standard: Key steps for conducting an internal investigation

After setting forth the basic principles, the ISO Standard addresses the key steps that underlie a successful internal investigation, including the following:

1. appointment of the investigation team, as well as the establishment of the role of each member of the team;
2. preparation of investigation activities, including all aspects of planning and establishing the scope of the internal investigation based on available information, the parties involved, the evidence collected, and so on;
3. establishment of the protective measures to be implemented to protect the investigation team, witnesses, and other parties involved;
4. determining how to collect and store evidence related to the investigation;
5. determining how to handle discussions and relationships with internal and external stakeholders, including potential cooperation with regulators and other public authorities;
6. steps to be taken at the conclusion of the investigation, including remedial action to be carried out and disciplinary sanctions.

Final remarks

The ISO Standard is of great importance in the current Italian legislative landscape, not only because it provides additional operational standards useful for defensive investigation, but also in the context of the whistleblowing regulation set forth in the Legislative Decree No. 24/2023.^[3] Indeed, proper handling of internal investigations is a crucial aspect for a whistleblowing system to be effectively implemented. As a matter of fact, having a comprehensive and widespread set of objective criteria and guidelines to be followed is certainly of help for the companies in:

• effectively handling any reported potential misconducts;
• designing effective and appropriate measures to prevent the same kind of misconducts from recurring or new kinds of misconducts from occurring;
• avoiding potential corporate criminal liability and damage to their reputations stemming from misconducts.

[1] ISO TS 37008:2023, a preview of which is available at this link.

[2] Defensive investigations are regulated by Artt. 327-bis and 391-bis and ff. of the Italian Code of Criminal Procedure (“ICCP”), providing a set of rules on how to carry out specific activities such as interviews, requests of documents, etc. In addition to the provisions of the ICCP, the “Code of Conduct of the defense counsel during the defensive investigations” establishes the duties and the rights of the lawyers conducting the investigation and of the people involved while the “Privacy Code of Conduct for defensive investigations” governs the processing of personal data of the individuals involved in a defensive investigation.

[3] The Legislative Decree entered into force on July 15, 2023. For further information on the implementation of the whistleblowing decree in Italy, refer to our article at this link.