Climate Change

This summer was exceptionally hot in Hungary, but how does this relate to information security?

In February this year, ISO published an amendment to the ISO 27001 standard that requires organizations to consider climate change in their ISMS.

Why the ISMS?

The requirements introduced by the amendment belong to the body text of the standard (Section 4.). To support management system integration, the latest editions of all ISO management system standards share the same standard body structure, and most of the wording of the management system framework requirements documented here are the same. This means the added requirement is not unique to the ISMS; it was added to all other ISO management system standards as well in the respective amendment documents.

Is this a suggestion or a requirement?

This is a requirement that must be complied with. But – like any other requirement – it must be covered considering the size and business of the organization. Climate change represents a more realistic risk than, for example, an ant invasion, but in rare cases even that must be considered. And on the medium term, climate change will influence every organization, and several organizations may also influence climate change as well.

Many certification bodies have notified their clients of the appearance of this new requirement. Compliance to this requirement must be documented (mostly in the management system manual, if it exits).

Is this another 10-minute task to deal with?

Well, in many cases yes, but it may depend on a few factors. If your site is on a riverbank where flooding may become an issue or your infrastructure may be influenced by severe storms, you may need to add this to your risk assessment and consider strengthening your DRP/BCP. Should statutory requirements apply to your organization regarding climate protection, you may add this to the list of legal requirements (A5.31). The list of interested parties may also be reviewed.

04/09/2024