With climate considerations playing a larger role in corporate risk management and strategic planning, the ISO/IEC 27001 cybersecurity standard has been updated to include the potential impacts of climate change on an organization’s Information Security Management Systems (ISMS).
Under an amendment issued in February 2024, organizations preparing for an ISO/IEC 27001 audit are required to consider the potential risks climate change can present to their ISMS, as well as any potential implications for interested parties.
In a joint statement, ISO and the International Accreditation Forum highlighted the need for organizations to consider the effects of climate change on their ability to achieve the intended results of the management system.
The statement explained that some climate-related risks, such as regulatory compliance or organizational resilience, may have a general effect on an organization’s ISMS. Some organizations will face more specific climate-related ISMS risks related to their industry (such as energy production or agriculture) or factors such as their geographic location.
How Does ISO/IEC 27001 Address Climate Change?
The ISO/IEC 27001 standard adds two references to climate change within Clause 4, “Context of the Organization.” Clause 4.1 (Understanding the Organisation and its Context) adds a sentence reading “The organisation shall determine whether climate change is a relevant issue.” Clause 4.2 (Understanding the Needs and Expectations of Interested Parties) adds the sentence “Relevant interested parties can have requirements related to climate change.”
The changes are designed to help organizations address several climate-related risks to their ISMS and its operations. If, for instance, a severe weather event such as a windstorm or flooding affects an organization’s data center, the availability of its systems and data can be disrupted.
Similarly, vendor or supply chain disruptions following climate-related events could affect an organization’s ability to maintain an ISMS and its performance. Customers may also have concerns about whether a climate-related disruption to a service organization can affect their operations.
How Should Companies Alter Risk Assessments?
To comply with the revised standard, organizations need to consider whether climate change can affect their ISMS, and whether they’ve implemented controls or other measures to address climate-related risks. For many organizations without material climate exposures, this can be addressed with language similar to:
“The organization acknowledges the potential impact of climate change on its operations and has considered these risks in the context of its Information Security Management System (ISMS). While no specific mitigation actions are committed at this stage, the organization remains aware of climate-related factors that may affect its business environment.”
Similarly, organizations should also consider addressing climate risk with policy statements in their Management System’s risk assessment documentation. Management should include language saying it has considered the impact of climate risk on the ISMS and whether that risk meets a threshold for mitigation. (If it does, the organization should outline the mitigation measures it has taken.)
If an organization has more than one ISO/IEC Management System, it needs to conduct separate climate risk assessments for each one.
To learn more about ISO 27001 certification and its valuable role in helping your organization protect its systems and information, contact us.
