Skip to content
27kay27kay

ISO 27001 Amendment 1: Climate Change

(updated: ) · 6 min read · 27kay
ISO 27001ISMScompliancerisk management

ISO 27001:2022 Amendment 1 adds two sentences to the standard - one to Clause 4.1 and one to Clause 4.2. Both relate to climate change. If you are already running a well-structured ISMS with a proper organizational context and interested parties analysis, the practical impact is minimal. But you still need to address it explicitly.

What Amendment 1 actually changes

ISO/IEC 27001:2022/Amd 1:2024, published in February 2024, makes two changes to the standard:

Clause 4.1 addition: “The organization shall determine whether climate change is a relevant issue.”

This is added to the existing requirement to identify external and internal issues relevant to the ISMS. It does not mandate that climate change is relevant to every organization. It requires that you consider the question and document your determination.

Clause 4.2 addition: A note stating that relevant interested parties can have requirements related to climate change.

This is a non-normative note - it does not create a new requirement. It serves as a reminder that when you analyze interested parties’ needs and expectations, some of those expectations may include climate-related considerations.

That is the full extent of the amendment. No new controls in Annex A. No changes to clauses 5 through 10. No new documentation requirements beyond what 4.1 and 4.2 already demand.

Why ISO added climate change to a security standard

This amendment is part of ISO’s broader commitment under the London Declaration, adopted in 2021. ISO committed to integrating climate change considerations into all management system standards - ISO 9001 (quality), ISO 14001 (environment), ISO 45001 (occupational health), and ISO 27001 alike.

The rationale is straightforward: climate change creates physical and transitional risks that can affect any management system, including information security. Flooding a data center is a confidentiality, integrity, and availability event. Energy grid instability affects system uptime. Changing regulations around environmental reporting can create new compliance obligations.

Whether these risks are material to your specific organization is exactly the question Amendment 1 asks you to answer.

What you need to do

If climate change is relevant to your organization

For organizations where climate factors genuinely affect information security - data centers in flood-prone areas, operations in regions with extreme heat affecting cooling infrastructure, supply chains dependent on climate-sensitive logistics - the implementation steps are:

  1. Document climate as a relevant external issue in your Clause 4.1 context analysis. Describe which climate factors apply and why.
  2. Identify climate-related interested party requirements under Clause 4.2. Customers, regulators, or insurers may have expectations around climate resilience. Regulatory frameworks like the EU’s Corporate Sustainability Reporting Directive (CSRD) may create obligations.
  3. Feed climate risks into your risk assessment under Clause 6.1. Evaluate the likelihood and impact of climate-related threats to your information assets. A data center in a flood zone needs different treatment than a fully cloud-based operation.
  4. Address climate risks in your risk treatment plan. This might mean geographic redundancy, enhanced cooling systems, business continuity planning for climate events, or supplier diversification.
  5. Review Annex A controls for climate relevance. Controls around physical security (A.7), business continuity (A.5.30), and redundancy (A.8.14) may need climate-specific considerations in your Statement of Applicability.

If climate change is not relevant

For many organizations - a fully remote SaaS company with cloud-hosted infrastructure, for example - climate change may not be a material factor for information security. The cloud provider bears the physical infrastructure risks, and the organization’s ISMS scope may not extend to facilities management.

In this case, the implementation is simpler:

  1. Document your determination in the Clause 4.1 context analysis. State that you considered climate change and determined it is not a relevant issue for your ISMS, with a brief rationale.
  2. Note the consideration in your Clause 4.2 analysis. Confirm that no interested parties have climate-related requirements that affect information security.

The key is that you explicitly address the question. Silence is not compliance. An auditor needs to see evidence that you considered climate change - even if your conclusion is that it does not materially affect your ISMS.

Impact on existing certifications

Organizations certified to ISO 27001:2022 need to incorporate Amendment 1 during their next surveillance or recertification audit. The transition is straightforward because the changes are narrow:

  • Update your Clause 4.1 context analysis to include a climate change determination
  • Review your Clause 4.2 interested parties analysis for climate-related requirements
  • If climate risks are identified, ensure they flow through to your risk assessment and treatment

Most certification bodies started checking for Amendment 1 compliance during surveillance audits from mid-2024 onward. If you have not updated your context analysis yet, do it before your next audit.

For organizations still transitioning from ISO 27001:2013 to 2022, Amendment 1 is included automatically - the current version of the standard incorporates the amendment.

What auditors check

Explicit determination. Auditors check whether your Clause 4.1 analysis addresses climate change. They do not need a lengthy climate risk report. They need evidence that you asked the question and documented your answer.

Logical reasoning. If you determine climate change is not relevant, auditors assess whether that conclusion makes sense for your context. A manufacturing company with on-premise data centers in a coastal city claiming climate is irrelevant will face follow-up questions.

Risk integration. If you determine climate change is relevant, auditors check whether those risks appear in your risk assessment and treatment plan. Acknowledging climate as relevant in 4.1 but having no climate-related risks in your 6.1 assessment is inconsistent.

Interested party alignment. Auditors may check whether your customers, regulators, or other interested parties have climate-related expectations and whether those are captured in your 4.2 analysis.

Common mistakes to avoid

Ignoring the amendment entirely. The most common issue, especially among organizations that view climate change as unrelated to information security. The standard now explicitly requires you to consider it. Skipping the question creates a nonconformity.

Over-engineering the response. Some organizations commission extensive climate risk studies or add dozens of climate-specific controls. For most ISMS implementations, a paragraph in the Clause 4.1 context analysis and a line in the 4.2 interested parties table is sufficient. Match the effort to the relevance.

Treating it as a one-time exercise. Climate relevance can change. New facilities, new regulations, changed supply chains, or new customer requirements can shift your determination. Review it as part of your regular management review cycle, the same way you review other contextual factors.

Confusing ISO 27001 with ISO 14001. Amendment 1 does not turn ISO 27001 into an environmental management standard. You are not being asked to measure carbon emissions, set sustainability targets, or implement environmental controls. You are being asked whether climate change affects your information security and to document that assessment.

How 27kay can help

We help organizations integrate Amendment 1 requirements into their existing ISMS without over-engineering the response. As part of ISO 27001 implementation and surveillance preparation, we update the context analysis, assess climate relevance, and ensure the determination flows correctly through to the risk assessment. For the full picture, see our ISO 27001 knowledge hub.

Not sure how to handle Amendment 1 before your next audit? Get in touch - we will review your context analysis and make sure the climate change determination is documented correctly.