What happened?
On 23 February 2024, the International Organisation for Standardization (ISO) passed a resolution to add two new statements on climate change to several existing management systems standards.
The purpose of these changes is to support the ISO London Declaration on climate change, and to ensure organisations consider the effect of climate change on an organisation’s ability to achieve the intended results of the relevant management system(s).
To comply, identify if climate change applies to your certification(s) and conduct a risk assessment to review the impact on the organisation’s risk profile. Tailor your management system documentation to include climate change as either an internal or external issue and raise the related environmental risk(s) in your risk register. These changes should be effected before your next recertification or surveillance audit.
What do the changes look like?
The published changes to the ISO standards affect Clauses 4.1 and 4.2 and are depicted as follows:
4.1 Understanding the organisation and its context.
The organisation shall determine external and internal issues that are relevant to its purpose and that affects its ability to achieve the intended result(s) of its XXX management system.
Added: The organisation shall determine whether climate change is a relevant issue.
4.2 Understanding the needs and expectations of interested parties.
The organisation shall determine:
- the interested parties that are relevant to the XXX management system.
- the relevant requirements of these interested parties.
- which of these requirements will be addressed through the XXX management system.
Added: NOTE: Relevant interested parties can have requirements related to climate change.
Which standards do the changes apply to?
The climate change amendment applies to all Type A ISO management system standards, i.e., those that specify requirements for a management system, and to which a company can be certified. This includes the following standards: ISO 14001, ISO 45001, ISO 9001, ISO/IEC 20000, and ISO/IEC 27001. A full list is available here.
What do you need to do to comply?
- Check whether the climate change amendments apply to the relevant standard which your organisation currently holds or intends to obtain here.
- If climate change is found to be a relevant issue, consider incorporating the following (taking ISO 27001 – Information Security – as an example):
- Conduct a risk assessment and create associated actions based on the organisation’s risk management framework, especially on the impact of climate change on the Information Security Management System (ISMS). Factors to consider include: the type of ISO standard(s) applicable to the organisation; the purpose of the organisation; the locations of the organisation; and products and services that the organisation provides. For example, The risk of climate change has a moderate impact on the organisation’s offsite data centre located near areas with rising sea levels.
- Add climate change as an External Issue as part of Clause 4.1 of the ISO 27001 standard. Most organisations will have a Scope Document which contains internal and external issues that could impact the ISMS. Consider adding climate change as an external issue and describing the impact it has on the ISMS, e.g., Environmental conditions could impact the facilities housing critical information assets.
- Add climate change as an information security requirement impacting the ISMS as part of Clause 4.2 of the ISO 27001 standard. For example, for a relevant interested party such as third-party vendors, organisations could add a climate change requirement to ensure that vendors are responsible for secure destruction following recycling practices to reduce greenhouse gas emissions.
- In cases where an organisation reviews and confirms that climate change is not a relevant issue within the business, e.g., your organisation does not produce carbon emissions, or have data centres prone to environmental disasters, it is worthwhile to consider adding climate change as a low- tier risk which the organisation accepts and periodically reviews.
Sekuro has a Governance Risk Compliance consultancy service. Contact us if you have any questions or require assistance in aligning with these amendments.
Martin Hossain
Governance, Risk and Compliance Analyst, Sekuro
More Articles
Facing post-tech stack consolidation blues head on
Selling the Strategic Imperative of Zero Trust to Your Board
In conversation with Nathan Wenzler, Chief Security Strategist at Tenable (Part 2)
