ISO 27001 Climate Change Amendment
Effective Immediately
In response to the escalating challenges posed by climate change, the International Organization for Standardization (ISO) has introduced a significant amendment to its Management System Standards. Effective immediately, the ISO 27001 Climate Change Amendment mandates organizations to integrate climate change considerations into their information security management systems (ISMS).
This article explores the specifics of these amendments, highlighting the additions to Clauses 4.1 and 4.2 of the ISO Management System Standards and elucidating the intent behind these modifications. Through insights from industry experts and directives from the International Accreditation Forum (IAF), we explore the practical implications for organizations already certified under ISO 27001 and provide comprehensive guidance on the adjustments necessary to align with the new climate change requirements.
Additionally, we examine potential impacts on operations, information security, and overall business resilience, offering practical examples and actionable strategies for addressing climate-related risks and opportunities within the framework of ISO 27001 certification. As organizations navigate this paradigm shift towards climate-conscious management systems, understanding the nuances of the ISO 27001 Climate Change Amendment becomes imperative for ensuring both environmental sustainability and robust information security practices.
What are the New Climate Change Amendments for ISO Certification?
The new climate change amendments are one-line additions to ISO Management System Standards, Clauses 4.1 and 4.2.
Clause 4.1 is about understanding the organization and its context. The climate change addition to this clause is, “The organization shall determine whether climate change is a relevant issue.”
Clause 4.2 is about understanding the needs and expectations of interested parties. The climate change addition to this clause is, “NOTE: Relevant interested parties can have requirements related to climate change.”
What is the Intent of the Climate Change Requirements Added to Clauses 4.1 and 4.2?
“The overall intent of the requirements for clauses 4.1 and 4.2 remain unchanged; these clauses already include the need for the organization to consider all internal and external issues that can impact the effectiveness of their management system; these new inclusions are assuring that Climate Change is considered within the management system and that it is an external factor that is important enough for our community to require organizations to consider it now.” – ANAB Heads Up Issue: 527
What is the Climate Change Amendment?
According to the IAF/ISO (International Organization for Standardization) 22 February 2024 Joint Communiqué and Published on February 23, 2024, the Climate Action Amendment has been added to existing and new ISO Management Systems Standards (MSS) to reflect ISO’s Climate Action commitments.
“It is important that all parties understand the intent so that the changes can be consistently introduced and implemented.”
“In support of the ISO London Declaration on Climate Change, ISO passed a resolution that will result in two new statements of text being added to several existing management system standards and will be included in all new standards under development/revision, to address the need to consider the effect of Climate Change on the ability to achieve the intended results of the management system. The changes will be introduced initially as Amendments to these published standards.
The changes (two new statements) will be incorporated into the new text of the Harmonized Structure (Appendix 2 of the Annex SL in the ISO/IEC Directives Part 1 Consolidated ISO Supplement) as follows.”
From ANAB Heads Up Issue 527:
“FAQs from ANAB
What is the transition process because of the amendments?
The amendments are effective as of the date of publication and there is no transition for implementation because of the overall intent quoted above. See the IAF Final Decision for more details.
What is required of an applicant or certified organization?
As detailed in the IAF Final Decision, certified organizations (including applicants) need to consider if Climate Change is a relevant issue within their own management system(s). If so, as with other relevant issues, the organization must consider it within their system’s objectives and risk evaluation, within the scope of their management system(s).
See the IAF Final Decision for more details.
Does the amendment to the management system standard/s require a revision to the certification document?
No, a revised certificate is not required to be issued for the sole purpose of recognizing the amendment to the management system standard(s). Please refer to the IAF Final Decision, Timing section.”
See the IAF Final Decision for more details.
What Changes do Organizations that are Already ISO 27001 Certified need to make when it comes to the Climate Change Amendment?
The Climate Change Amendment to ISO 27001 is an emerging consideration for organizations seeking to align their information security management systems (ISMS) with climate-related risks and opportunities. While ISO 27001 primarily focuses on information security, organizations may need to make some adjustments to incorporate climate change considerations.
Here are some changes organizations may need to make:
Risk Assessment and Management:
Organizations may need to update their risk assessment processes to include climate-related risks such as extreme weather events, supply chain disruptions due to climate impacts, or regulatory changes related to climate policies. They should identify how these risks could impact their information security objectives and develop appropriate risk management strategies.
Policy Development:
Organizations may need to revise their information security policies to include specific provisions related to climate change. This could involve addressing the security implications of remote work arrangements necessitated by climate-related events, ensuring the security of data stored in environmentally vulnerable locations, or establishing protocols for responding to climate-related cybersecurity threats.
Supplier Management:
Given the increasing emphasis on supply chain resilience in the face of climate change, organizations may need to review and update their supplier management processes. This could involve assessing suppliers’ climate-related risks and resilience measures, incorporating climate-related contractual clauses into supplier agreements, and ensuring the security of information shared with suppliers in the context of climate-related collaborations or contingency planning.
Business Continuity Planning:
Organizations should review their business continuity and disaster recovery plans to account for climate-related scenarios. This may include identifying alternative locations or backup systems to ensure the continuity of critical operations in the event of climate-related disruptions, as well as ensuring the security of data and systems during such events.
Training and Awareness:
Organizations may need to enhance employee training and awareness programs to educate staff about the security implications of climate change and their roles in mitigating related risks. This could involve guiding secure remote work practices during extreme weather events, raising awareness about the importance of safeguarding data in environmentally vulnerable locations, or training staff to recognize and respond to climate-related cybersecurity threats.
Monitoring and Review:
Organizations should regularly monitor and review their ISMS to ensure that it remains effective in addressing climate-related risks and opportunities. This may involve conducting periodic audits or assessments specifically focused on climate change considerations, reviewing the effectiveness of risk management measures in mitigating climate-related risks, and updating policies and procedures as necessary based on changing climate-related factors.
By incorporating these changes into their existing ISO 27001-certified ISMS, organizations can enhance their resilience to climate-related threats while maintaining the security and integrity of their information assets.
Examples of how Climate Change Issues May affect ISO 27001-Certified Companies
Climate change can have various impacts on ISO 27001-certified companies, affecting their operations, information security, and overall business resilience.
Here are some examples of how climate change issues may affect these companies:
Extreme Weather Events:
Climate change can lead to more frequent and severe extreme weather events such as hurricanes, floods, wildfires, and storms. These events can disrupt operations, damage infrastructure, and compromise the availability and integrity of information systems and data. ISO 27001-certified companies may need to implement additional measures to protect their information assets from such events, such as data backup and recovery strategies, redundant systems, and disaster recovery plans that account for climate-related scenarios.
Supply Chain Disruptions:
Climate change can impact supply chains through disruptions in transportation, production, and distribution networks. For example, changes in weather patterns can affect crop yields, leading to shortages of raw materials or increased prices for certain products. ISO 27001 certified companies may need to assess the climate-related risks in their supply chains and implement measures to enhance supply chain resilience, such as diversifying suppliers, conducting risk assessments, and establishing contingency plans for sourcing critical resources.
Regulatory Changes:
Climate change policies and regulations are evolving rapidly around the world, with governments implementing measures to mitigate greenhouse gas emissions, promote renewable energy, and adapt to climate impacts. ISO 27001 certified companies may need to stay informed about these regulatory changes and ensure compliance with relevant requirements that could impact their operations, data management practices, or reporting obligations.
Physical Security Risks:
Climate change can increase the risk of physical security threats to facilities and infrastructure, such as flooding, sea-level rise, landslides, or extreme heat events. ISO 27001-certified companies may need to assess the vulnerability of their physical assets to climate-related hazards and implement measures to protect critical infrastructure, data centers, and other facilities from potential damage or disruption.
Cybersecurity Risks:
Climate change can also exacerbate cybersecurity risks by creating new opportunities for malicious actors to exploit vulnerabilities in systems and networks. For example, extreme weather events may disrupt communication networks or power supplies, increasing the likelihood of cyberattacks such as ransomware or data breaches. ISO 27001 certified companies may need to strengthen their cybersecurity defenses, implement incident response plans, and enhance employee training to mitigate climate-related cybersecurity risks effectively.
Reputational Risks:
Companies that fail to address climate change issues effectively may face reputational risks, including negative publicity, consumer backlash, or investor scrutiny. ISO 27001 certified companies may need to demonstrate their commitment to environmental sustainability and climate resilience through transparent reporting, stakeholder engagement, and corporate social responsibility initiatives that align with their information security objectives.
By proactively addressing these climate change issues, ISO 27001 certified companies can strengthen their resilience, protect their information assets, and maintain the trust and confidence of their stakeholders in an increasingly uncertain and interconnected world.
About Scott Dawson
Since 2010, Scott Dawson, President of Core Business Solutions, has been an active voting member of the U.S. Technical Advisory Group (TAG) to ISO Technical Committee 176 (TC 176). TAG 176 members meet to discuss and develop U.S. positions for Quality Management standards, including ISO 9001:2015, which will be revised in 2026.