ISO and IAF add Climate Change Considerations to 31 Management Systems Standards

What are the amendments?

The amendments have been made to Clauses 4.1 and 4.2 of existing Annex SL Standards

With regard to Clause 4.1 – ‘Understanding the organisation and its context requirements’, the following requirement has been added:

• The organisation shall determine whether climate change is a relevant issue.

With regard to Clause 4.2 – ‘Understanding the needs and expectations of interested parties’, there is no additional requirement, but a note has been added to the effect:

• Note: Relevant interested parties can have requirements related to climate change.

ISO will maintain harmonisation between management system standards by amending the standard text requirements in Annex SL so that all new and updated management system standards will contain the requirement and note.  An example of this is the recently published ISO/IEC 42001:2023  ‘Information technology. Artificial intelligence. Management system’ Standard, which already includes these amendments.  

Which standards have been amended?

A total of 31 existing Annex SL management system standards have been amended including:

• ISO 9001:2015 - Quality management systems — Requirements
• ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection — Information security management systems — Requirements
• ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements
• ISO 14001:2015 - Environmental management systems — Requirements with guidance for use
• ISO 45001:2018 - Occupational health and safety management systems — Requirements with guidance for use

The changes will also be incorporated into future Annex SL standards. As mentioned, the most recently published ISO 42001 Standard already includes these amendments.

What steps will certified organisations need to take?

The amendment will require organisations with certified management system frameworks to review information related to internal and external issues including interested parties, relevant to its business and climate change.  If an organisation has documented its context, then this will need to be updated if climate change is relevant to it.  It is not envisaged that there will be many cases where climate change is not relevant (see section below).

If a certified organisation maintains an interested parties register or similar log that outlines the needs and expectations of interested parties, this should be reviewed and updated where an interested party has a requirement related to climate change.

If following a review of these changes an organisation considers that changes to its management system are required, these should be made in line with any organisational change process as implemented.

It should be noted that as issued these changes (amendments) are now part of the requirements of the standards, although the publication year of the standard will not change and updates to the standards will go through the normal ISO amendment process.

A new certificate will not be required if the details of the certified management system, such as scope, have not changed.  

What will organisations need to ‘consider’?

In order for organisations to consider climate change, it is valuable to understand the factors which have led to ISO/IAF introducing this wide-ranging change.  A good place to start is to look at the ISO 42001 AI Standard which, as stated above, already includes the amendments to Clause 4.1 and 4.2.  Annex B of the 42001 Standard provides implementation guidance and refers to the following:

• ‘B4.5 System and computing resources’, referring to the hardware used to run the AI system.
• ‘B5.5 Assessing societal impacts of AI system’, which refers to environment sustainability, and specifically impacts on natural resources and greenhouse gas emissions due to increased power consumption.

It seems quite clear that ISO’s thinking is focused around the significant computational and storage resources employed by AI, and the resulting increased power usage, as well as increased power in supporting utilities, most notably air conditioning, and increased heat generation from both the computational resources and air conditioning systems.

Specific to AI is consideration of efficient coding.  Many organisations have over the years taken quite a blasé attitude to the efficiency of their code, considering the availability of resources being limitless.  With the much higher resource demands for AI, the need to use more efficient code is a real concern.  AI producers should therefore be giving at least as much weight to code efficiency as for secure coding.

While there is no specific control requirement within ISO 42001, organisations need to consider regulatory and legislative requirements relating to climate change, sustainability and environmental impact. Organisations will need to consider this in their dealings with regulatory and legislative bodies and need to feature this in their AI Impact Assessment (AIIA).

What about other standards, such as ISO 27001?

When looking at the impact on ISO 27001, a major climate change consideration has to be an organisation’s use of cloud service providers, which are likely to have scalable computation resource requirements similar to AI.  However, in some cases, organisations will continue to use their own computational resources.  

As such, organisations will need to consider including clauses in cloud service provider contracts regarding sustainability / climate impact, perhaps including clauses for carbon offsetting.  Similarly, on-premise organisations will need to consider this for any internal resources, so building clauses into contracts for supporting utilities such as technical space air conditioning and perhaps offsetting their own carbon footprint.

As well as having the statements to consider in Clause 4.1 and 4.2 for the ISMS, there are a range of ISO 27001:2022 Annex A controls to consider. Here are a couple of examples:

• Control 5.5 Contact with authorities (also applies to 5.36 Compliance with policies, rules and standards for information security) – organisations will need to include climate change, sustainability and environmental impact in their agenda with authorities.
• Control 5.23 Information security for use of cloud services – consideration of climate change, sustainability and environmental impact in the relationships with cloud service providers and the associated contracts.  In practice, cloud services are provided through a contract/licence/terms of use set out by the cloud service providers, with little or no room for negotiation.  Certain features, however, may be provided as ‘bolt-ons’ to varying degrees in different service levels (e.g. bronze, silver, gold).  As such, climate change, sustainability and environmental impact should feature prominently in organisations’ criteria for selecting cloud service providers and service levels or at least demonstrate that it was part of the criteria when considering providers.

There are numerous other controls (organisational, people, physical and technological) which also have a climate change dimension to them.