In this definitive briefing on ISO/IEC 27001:2022 Amendment 1 Climate Change Actions, Lead Auditor Stuart Barker explains exactly what it is and the two approaches to being compliant. He shares insights on the common mistakes people make and how to future proof your information security management system (ISMS) against future changes.
Table of contents
ISO/IEC 27001:2022 Amendment 1 Climate Change Actions
ISO 27001:2022 was updated in February 2024 with Amendment 1 to include climate change considerations. This created an opportunity for consultants to generate billable hours and for organisations to over-engineer their response.
Let us explore the precise analysis of the change and the strategic, cost effective solution for compliance.
The amendment introduced two textual changes to two of the clauses.
ISO 27001 Clause 4.1 Understanding the Organisation and Its Context
Added the following sentence to the end of the sub-clause: The organisation shall determine whether climate change is a relevant issue.
ISO 27001 Clause 4.2 Understanding the Needs and Expectations of Interested Parties
Added the following note at the end of the sub-clause: NOTE 2 Relevant interested parties can have requirements related to climate change.
These additions represent a mandate but are not a fundamental evolution of the information security management system.
The main driver is the introductions of climate change across all of the ISO standards, irrespective of their direct relevance.
The required action is actually minimal and there is no need to panic as no significant work has been introduced unless you want there to be.
There are three common mistakes that people make. They are based on the simplicity of the amendment and it’s vulnerability to misinterpretation.
The first common mistake is over engineering a response. Treating the simple declaration of a requirement as a full scale sustainability project within the ISMS.
For many climate change is not a direct or relevant risk to the information security management system. For them, a formal declaration of non-relevance is a valid and compliant response.
The second mistake is gaining expensive, external help without understanding why or how that help is needed. The impact of the amendment is procedural not technical. The required changes can be addressed internally in less than one hour.
For compliance there are two paths and the response you take is dependent on the context of your organisation. Each path is valid and each path is compliant.
The first path is a declaration of non-relevance. This is the most efficient and clear approach to compliance. To implement this you
- Review: formally consider climate change within your organanisation
- Document: update the context of organisation document with a statement that confirms that climate change was reviewed and concluded to not be a relevant issue for the ISMS.
- Confirm: note that the relevant interested parties were consulted and had no requirements related to climate change.
The second path is the full integration approach. This integrates climate-related risks into the existing ISMS framework. The process to implement this is:
- Assess: conduct a risk assessment to identify specific climate related threats to information security
- Register: add identified risks to the ISMS risk register and manage them via the standard risk management process
- Align: review and update business continuity and disaster recovery plans to account for these specific climate risks
- Engage: consult with interested parties, regulators, partners to understand and document their climate related risks
Responding to this amendment is a minor task but maintaining a defensible and audit ready ISO 27001 posture is of strategic importance. By owning your compliance framework in-house you have greater control and reduced costs whilst eliminating dependence on external experts.
Having the ISO 27001 Toolkit from High Table provides the complete framework to build, manage and certify your information security management system whilst ensuring and guaranteeing you are up to date with the latest changes.
Replacing the leased model of platforms or the consultant model with an ownership model will equip your internal team with an audit verified management system at a fraction of the costs.
In conclusion, compliance is a function of precision, not panic.
ISO 27001:2022 Amendment 1 is a minor procedural update.
Resist consultant driven complexity and expense.
Analyse your context and execute one of the two strategies presented here.
ISO 27001:2022 Amendment 1 – Climate Action Changes Explained Simply | The Lead Auditor Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001:2022 Amendment 1 – Climate Action Changes. Technically referenced as ISO/IEC 27001:2022 Amendment 1 Climate Change Actions. The podcast explores what it is, why it is important and two paths to compliance. The most tactical taking less than 1 hour to implement.
ISO 27001:2022 Amendment 1 – Strategic Implementation Briefing [Auditor Explained]
In this strategic implementation briefing, Lead Auditor Stuart Barker and team do a deep dive into the introduction of ISO 27001:2022 Amendment 1 Climate Change Actions.
Further Reading
ISO 27001:2022 Amendment 1: – Absolutely Everything You Need to Know
