In this article I lay bare the changes to the ISO 27001 standard that happened in 2024 in the ISO 27001:2022 Amendment 1 Climate Action Changes.
You will learn
- What is ISO 27001:2022 Amendment 1
- How to implement ISO 27001:2022 Amendment 1 Climate Action Changes
- What is new in ISO 27001:2022 Amendment 1 Climate Action Changes
What is ISO/IEC 27001:2022?
ISO 27001 is the international standard for information security. It is an Information Security Management Systems (ISMS) and the output is an ISO 27001 Certification. ISO/IEC 27001:2022 was the much anticipated 2022 update to the standard released in 2022.
Officially it is called: ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information Security Management Systems Requirements
What is ISO/IEC 27001:2022 Amendment 1?
ISO 27001 Amendment 1 is a change to the ISO 27001 standard that introduces requirements on climate change to the information security management system. It officially known as ISO/IEC 27001:2022 Amendment 1 Climate Action Changes
DO IT YOURSELF
ISO 27001
What has changed in the new ISO/IEC 27001:2022 Amendment?
The change is the addition of requirements on climate change to the ISO 27001 standard. The following is a summary of the ISO 27001:2022 changes:
Added the following sentence at the end of the sub-clause:
The organisation shall determine whether climate change is a relevant issue.
Added the following note at the end of the sub-clause:
NOTE 2 Relevant interested parties can have requirements related to climate change.
Everything you need to know – 60 second video
Learn everything you need to know about ISO 27001:2022 Amendment 1 Climate Action Changes in this 60 second YouTube Short.
How to Implement it – 60 second video
Learn how to implement ISO 27001:2022 Amendment 1 Climate Action Changes in this 60 second YouTube Short.
What do I need to know about the new version amendment to ISO 27001
You need to know that there is no need to panic and no significant work has been introduced, unless you want there to be. This is not an actual evolution of the information security management system (ISMS). The main focus is on introducing the climate change agenda to standards. Whether they are relevant to those standards or not.
What should I do for the new version of ISO 27001?
If climate change is on your agenda then you are already covering this and there is nothing additional to do. If it is not then the following is the suggest approach.
You should update to the context of organisation document to include a line that sets out that climate change was reviewed and it was concluded that climate change is not a relevant risk to you or the information security management system. This is the easiest and quickest way to meet the requirement.
If it is a relevant risk to you then you should add it to the risk register and manage it via risk management.
In addition you should take note to ask interested parties if climate change is relevant to them and if so in what way so that you can include the requirement in your information security management system implementation. Be prepared when speaking to external ISO 27001 certification auditors to say that you asked them and it was not ( ideally ) or was relevant and what you did about it.
The top 3 Mistakes People make with the new ISO 27001:2022 Amendment 1
1. Overthinking it
You can do as much or as little as you need to do and should not overthink it. Stating that it is not a relevant risk and that you asked interested parties and they were not interested is enough. If climate change is on your agenda then you are already handling and implementing this through other standards and initiatives.
2. Paying consultants to work out the impact
Paying consultants to tell you that nothing has fundamentally changed is a big mistake. It is literally a couple of lines long and I have told you what it says.
3. Thinking climate change relates to an information security management system.
Parking any politics or agenda I leave it for you to work out if climate change has impact in risk terms to an information security management system (ISMS).
ISO/IEC 27001:2022 Amendment 1 Release Date
ISO/IEC 27001:2022 Amendment 1 Climate Change Actions was released in February 2024.
