As a result of the commitment to address the issue of climate change, as stated in the London Declaration of the ISO - International Organization for Standardization, ISO and the IAF - International Accreditation Forum, have made an amendment to Chapter 4 of the Harmonized Framework (Appendix 2 of Annex SL in the ISO/IEC Directives Part 1 Consolidated ISO Supplement). More information can be found here.
ISO 27001 - Information Security Management System is one of several standards covered by this amendment. What should be considered in an Information Security Management System according to ISO 27001?
There is no standardized approach to climate change considerations in an ISO 27001 Information Security Management System (ISMS). However, we share as a reference part of the text taken from a White Paper developed by the partners of the IQNET Association, of which APCER is a member representing Portugal.
These considerations are not sufficient on their own, nor are they considered complete; they are merely identified as the most likely to be analyzed by organizations:
Physical security and infrastructure: Climate change can lead to more frequent and severe weather phenomena, such as floods, storms or forest fires, which can physically threaten an IT infrastructure, so additional considerations may be needed to protect physical assets against these environmental threats.
Disaster recovery and business continuity: Risks related to environmental disasters may require more robust disaster recovery and business continuity planning. If certified organizations consider this significant, the ISMS should incorporate strategies for maintaining information security in the event of disruptions caused by climate-related disasters.
Supply chain security: Climate change can disrupt supply chains, including those for computer hardware and services. Where appropriate, the ISMS must take these risks into account, ensuring that information security is not compromised by supply chain vulnerabilities.
Energy management and efficiency: In response to climate change, there is a growing emphasis on energy efficiency and sustainability in IT operations. This can include the use of green data centers, energy-efficient hardware and sustainable IT practices.
Regulatory compliance and reporting: With an increasing focus on sustainability and environmental impact, new regulations and requirements related to climate change may emerge. Certified organizations must ensure compliance with these regulations, especially those that have implications for data management and security.
Data center location and design: The choice of data center location and design can be influenced by climate change considerations, such as areas less prone to natural disasters or designs that minimize environmental impact while ensuring security and availability.
Other Climate Change considerations that all organizations certified to the management system standards covered by this amendment should consider
Certified organizations, regardless of the sector of activity in which they operate and the type and scope of the management system, may need to review and adapt other processes and consider other issues in order to better address and accommodate changes in context, evolving requirements and stakeholder needs, as well as new risks arising from climate change.
Training and awareness: Effective management approach and practices in the context of climate change require informed and aware people. Certified organizations may need to include training programs that convey climate-related challenges and changes to their employees, ensuring that they understand the evolving nature of related risks and their responsibilities.
Engagement and communication with stakeholders: Engagement with stakeholders on climate-related compliance issues is crucial. Certified organizations should facilitate communication and engagement with stakeholders, including investors, customers, regulatory bodies and the community, on how the organization addresses climate-related compliance issues.
Monitoring and continuous improvement: Given the dynamic nature of climate change and its impacts, certified organizations must be able to monitor and continuously improve. This ensures that the organization can adapt its strategies in response to new information, regulations and best practices related to climate change.
Innovative solutions for greater resilience: Organizations may need to invest in innovative solutions to strengthen resilience in the face of climate-induced challenges and risks, and thus contribute to better performance and effectiveness.
Long-term strategic planning: Organizations must consider long-term trends and contextual issues, including those related to climate change. This enables strategic planning that aligns with global sustainability goals and climate change mitigation efforts.
Reputation and brand value: Organizations that do not address climate change risks or adopt sustainable practices may suffer in terms of reputation and brand value, as consumers and investors increasingly value sustainability. For some organizations, public perception can also be critical. Those that fail to take adequate measures to combat or adapt to climate change may suffer damage to their reputation, which can have a direct impact on customer loyalty and brand value.
Insurance and risk management: The increased frequency and severity of weather phenomena can lead to higher insurance premiums. For organizations with significant physical assets, or those operating in high-risk areas, this can represent a substantial financial burden.
Identifying new opportunities: Organizations can also look for opportunities arising from the transition to a greener economy, such as the development of new products or services, efficiency improvements and access to new markets.