Blog ISO Climate Change Amendments – What Do They Mean?

What Are the Changes?

The changes are essentially amendments to the Annex SL text, which is used for all such management system standards, so as well as affecting current standards they will also appear in all future standards (in fact the new ISO42001 AI standard already has them).

There are two changes:

1. A new sentence is added to Clause 4.1 (Understanding the organization and its context) that says:

“The organization shall determine whether climate change is a relevant issue.”

2. A new note is added to Clause 4.2 (Understanding the needs and expectations of interested parties) that says:

“NOTE: Relevant interested parties can have requirements related to climate change.”

The Joint Communique from the IAF (International Accreditation Forum) and ISO makes it clear firstly that notes are not requirements anyway and also that there is already a requirement to consider internal and external issues within the existing text of the standards, so they are hoping that certified organizations have already thought about climate change. But if they haven’t, then now it’s an explicit requirement to do so.

Note however that the new requirement doesn’t obligate the organization to actually do anything about climate change, just to consider its impacts.

What Needs to be Done?

If your organization is certified or is working towards certification then you will need to ensure that you consider what the impact of climate change could be on your management system and its ability to achieve its intended results. This might lead to some more interested parties being identified perhaps (such as local environmental groups or the United Nations) and additional risks being added to your risk assessment, as well as a reconsideration of the likelihood of some existing ones.

The United Nations identifies the following possible effects of climate change:

• Hotter temperatures
• More severe storms
• Increased drought
• A warming, rising ocean
• Loss of species
• Not enough food
• More health risks
• Poverty and displacement

For most organizations it’s probably not hard to think of potential impacts on the management system (be it quality, environmental, business continuity or information security and privacy) if even one of these effects came to pass.

If you decide to take it further, there is an existing standard that deals with this topic at length – ISO 14090:2019 Adaptation to climate change — Principles, requirements and guidelines.

Is This a New Version of the Standard?

These changes are minor so they have been issued by ISO in the form of a set of amendments which can be downloaded free of charge from the ISO website. Don’t expect much however, they are very brief and simply state what the changes are.

So the versions of the current standards stay the same for now, for example ISO9001:2015, ISO/IEC 27001:2022 and ISO14001:2015, and they won’t be republished with the amendments included until a whole new version comes out.

How Long Will We Get to Do This?

We haven’t seen any announcements from certification bodies such as BSI on this yet, so the assumption is that the new requirement will take effect at your next scheduled surveillance audit, or at your certification audit if that hasn’t happened yet. If that is soon we would be surprised if a certification auditor would raise a nonconformity for not having addressed this requirement, but it will certainly be mentioned and looked at next time.

Will Certikit Be Updating its Toolkits?

We will be updating our Enhanced Gap Assessments to include the additional wording as soon as possible, and the new requirement will be incorporated in each of our Toolkits at their next scheduled update.

In Summary

Unless we humans do something drastic about it (which is not looking likely) then climate change will be here to stay and at least these minor changes from ISO are a very small step in the right direction. For a certified organization (or one working towards it) the changes are not big, but hopefully they will stimulate more discussion about an issue that has the potential to affect all of us.

Written by Ken Holmes, CertiKit’s Managing Director and Lead Toolkit Creator. Ken is a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E).

How can CertiKit help with your ISO Implementation?

CertiKit’s ISO Toolkits and ISO Services are available help you understand and implement your chosen ISO standard(s). The toolkits include easy to understand templates and guides, plus a perpetual licence with ongoing updates and support, so you’ve got help whenever you need it.

Click the links to find out more the ISO Toolkits and ISO Services.