Considering Climate Change in ISO 27001

The International Organization for Standardization (ISO) and the International Accreditation Forum (IAF) have published two climate action amendments for existing and new management systems.  These amendments, which were published in February 2024, are part of ISO’s commitment to climate action and support the ISO London Declaration on Climate Change.

The amendments fall under Clauses 4.1 and 4.2.  Many organizations may already be considering the impact of climate change under these clauses as internal or external issues, and/or as part of understanding the needs and expectations of interested parties.  However, the amendments now make it a requirement that organizations explicitly consider climate change and incorporate any relevant aspects into their management system.

It should be noted that these changes are not a new standard, and there is no need for re-certification at this time. These short amendments are also available for free download.  To learn more about ISO’s revision process, read this article from Quality Digest.

Here are the changes, which fall under Section 4:

4.1 Understanding the organization and its context.

The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.

Text added to the end of subclause:
The organization shall determine whether climate change is a relevant issue. 

4.2 Understanding the needs and expectations of interested parties.

The organization shall determine:

• • Interested parties that are relevant to the information security management system.
  • The relevant requirements of these interested parties.
  • Which of these requirements will be addressed through the information security management system.

Note added to the end of subclause:
NOTE: Relevant interested parties can have requirements related to climate change.