Understanding the ISO 27001 Climate Change Amendment

The International Organization for Standardization (ISO) addressed the issue of climate change by publishing ISO/IEC 27001:2022 Amendment 1 Climate Action Changes in February 2024. The ISO 27001 Climate Change Amendment mandates organizations to integrate climate change considerations into their information security management systems (ISMS).

The ISO 27001 climate change amendment made the following changes to clauses 4.1 and 4.2:

ISO 27001 Clause 4.1 Understanding the Organization and Its Context

Added the following sentence at the end of the subclause: The organization shall determine whether climate change is a relevant issue.

ISO 27001 Clause 4.2 Understanding the Needs and Expectations of Interested Parties

Added the following note at the end of the subclause: NOTE 2 Relevant interested parties can have requirements related to climate change.

Climate change amendments were made to multiple ISO standards, not just 27001.

How Climate Could Impact Your ISMS

If your organization reviews if climate change poses a risk to your ISMS and determines it doesn’t, simply make a note in your ISO documentation and no changes are needed. Be aware a climate event could impact your security operations and create a need for specific policies and procedures.

Extreme Weather

Hurricanes, floods, fires, and other extreme weather events can damage infrastructure and compromise your ability to access data. Organizations should have policies for data recovery, system redundancy, and disaster recovery that account for these weather-based scenarios.

These weather events can result in physical assets being unprotected. Organizations should assess how vulnerable data centers, critical infrastructure, and other facilities are in the case of severe weather.

Compromised Supply Chains

Weather events can disrupt your vendors, whose products and services you may rely on to keep your ISMS running at full speed. Material shortages and transportation interruptions are some of the impacts you could face. Develop a plan to eliminate single points of failure by having secondary vendors lined up if the weather takes down your primary supplier.

Cybersecurity Vulnerability

If a weather event damages communication or power networks your organization could be more vulnerable to a cyber-attack. Be sure you have security controls that account for communication and power networks being unreliable or down completely.

CompliancePoint has a team of ISO experts who specialize in helping businesses achieve and maintain certification for ISO 27001, ISO 27701, and ISO 42001. To learn more about how we can help your business, reach out to us at connect@compliancepoint.com.