On 22 February 2024, the International Organization for Standardization (ISO)* and the International Accreditation Forum (IAF)* released a joint statement relating to an amendment to a total of 31 existing Annex SL management system standards (including ISO 27001, ISO 9001 and ISO 14001). The intent of the amendment is to ensure that the vital topic of Climate Change is considered by organisations in the context of the effectiveness of the management system.
What are the amendments?
The amendments have been made to Clauses 4.1 and 4.2 of existing Annex SL Standards
With regard to Clause 4.1 – ‘Understanding the organisation and its context requirements’, the following requirement has been added:
- The organisation shall determine whether climate change is a relevant issue.
With regard to Clause 4.2 – ‘Understanding the needs and expectations of interested parties’, there is no additional requirement, but a note has been added to the effect:
- Note: Relevant interested parties can have requirements related to climate change.
ISO will maintain harmonisation between management system standards by amending the standard text requirements in Annex SL so that all new and updated management system standards will contain the requirement and note. An example of this is the recently published ISO/IEC 42001:2023 ‘Information technology. Artificial intelligence. Management system’ Standard, which already includes these amendments.
Which standards have been amended?
A total of 31 existing Annex SL management system standards have been amended including:
- ISO 9001:2015 - Quality management systems — Requirements
- ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection — Information security management systems — Requirements
- ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements
- ISO 14001:2015 - Environmental management systems — Requirements with guidance for use
- ISO 45001:2018 - Occupational health and safety management systems — Requirements with guidance for use
The changes will also be incorporated into future Annex SL standards. As mentioned, the most recently published ISO 42001 Standard already includes these amendments.
What steps will certified organisations need to take?
The amendment will require organisations with certified management system frameworks to review information related to internal and external issues including interested parties, relevant to its business and climate change. If an organisation has documented its context, then this will need to be updated if climate change is relevant to it. It is not envisaged that there will be many cases where climate change is not relevant (see section below).
If a certified organisation maintains an interested parties register or similar log that outlines the needs and expectations of interested parties, this should be reviewed and updated where an interested party has a requirement related to climate change.
If following a review of these changes an organisation considers that changes to its management system are required, these should be made in line with any organisational change process as implemented.
It should be noted that as issued these changes (amendments) are now part of the requirements of the standards, although the publication year of the standard will not change and updates to the standards will go through the normal ISO amendment process.
A new certificate will not be required if the details of the certified management system, such as scope, have not changed.
What will organisations need to ‘consider’?
In order for organisations to consider climate change, it is valuable to understand the factors which have led to ISO/IAF introducing this wide-ranging change. A good place to start is to look at the ISO 42001 AI Standard which, as stated above, already includes the amendments to Clause 4.1 and 4.2. Annex B of the 42001 Standard provides implementation guidance and refers to the following:
- ‘B4.5 System and computing resources’, referring to the hardware used to run the AI system.
- ‘B5.5 Assessing societal impacts of AI system’, which refers to environment sustainability, and specifically impacts on natural resources and greenhouse gas emissions due to increased power consumption.
It seems quite clear that ISO’s thinking is focused around the significant computational and storage resources employed by AI, and the resulting increased power usage, as well as increased power in supporting utilities, most notably air conditioning, and increased heat generation from both the computational resources and air conditioning systems.
Specific to AI is consideration of efficient coding. Many organisations have over the years taken quite a blasé attitude to the efficiency of their code, considering the availability of resources being limitless. With the much higher resource demands for AI, the need to use more efficient code is a real concern. AI producers should therefore be giving at least as much weight to code efficiency as for secure coding.
While there is no specific control requirement within ISO 42001, organisations need to consider regulatory and legislative requirements relating to climate change, sustainability and environmental impact. Organisations will need to consider this in their dealings with regulatory and legislative bodies and need to feature this in their AI Impact Assessment (AIIA).
What about other standards, such as ISO 27001?
When looking at the impact on ISO 27001, a major climate change consideration has to be an organisation’s use of cloud service providers, which are likely to have scalable computation resource requirements similar to AI. However, in some cases, organisations will continue to use their own computational resources.
As such, organisations will need to consider including clauses in cloud service provider contracts regarding sustainability / climate impact, perhaps including clauses for carbon offsetting. Similarly, on-premise organisations will need to consider this for any internal resources, so building clauses into contracts for supporting utilities such as technical space air conditioning and perhaps offsetting their own carbon footprint.
As well as having the statements to consider in Clause 4.1 and 4.2 for the ISMS, there are a range of ISO 27001:2022 Annex A controls to consider. Here are a couple of examples:
- Control 5.5 Contact with authorities (also applies to 5.36 Compliance with policies, rules and standards for information security) – organisations will need to include climate change, sustainability and environmental impact in their agenda with authorities.
- Control 5.23 Information security for use of cloud services – consideration of climate change, sustainability and environmental impact in the relationships with cloud service providers and the associated contracts. In practice, cloud services are provided through a contract/licence/terms of use set out by the cloud service providers, with little or no room for negotiation. Certain features, however, may be provided as ‘bolt-ons’ to varying degrees in different service levels (e.g. bronze, silver, gold). As such, climate change, sustainability and environmental impact should feature prominently in organisations’ criteria for selecting cloud service providers and service levels or at least demonstrate that it was part of the criteria when considering providers.
There are numerous other controls (organisational, people, physical and technological) which also have a climate change dimension to them.
How URM can help
URM has spent some time working with ISO 42001 and understanding how it can best be implemented so is very familiar with the amendments and how best to address them. URM can support organisations to review and consider updates to its management system documentation in line with the changing requirement and the additional note. URM can also assist in helping you identify potential changes that need to be made with regard to ISO 27001 specific control implementation.
* The International Accreditation Forum, Inc. (IAF) is the worldwide association of conformity assessment accreditation bodies and other bodies interested in conformity assessment in the field of management systems, and other similar programs of conformity assessment.
The International Organization for Standardization (ISO) is an independent, non-governmental, international standard development organisation composed of representatives from the national standards organisations of member countries.
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
URM can assist with all aspects of implementation and maintenance of your medical device quality management system.
URM can help you achieve ISO 27001 certification
2nd part of question and answer session where URM compared and contrasted 2 of the world’s leading information security standards, ISO 27001 and SOC 2.
In order to meet the requirements of ‘Asset management’ A.8 from Annex A of ISO 27001, it is necessary to identify organisational assets and define protection
On 22 February 2024 ISO and IAF released a joint statement relating to an amendment to a total of 31 existing Annex SL management system standards.