New standard requirement - Consideration of climate impacts and adaptation in management systems using the example of ISO/IEC 27001

Natural events and natural disasters such as forest fires, floods and hail not only affect our private lives, but also have an impact on companies. The members of the IAF/ISO recognise this and are calling for climate adaptation and climate impacts to be taken into account in almost all management systems from the start of 2024. The Joint Communique was published for this purpose.

What does this mean for ISO-certified companies?

• Climate targets and climate impacts must be taken into account in corporate policy.
• New stakeholders can be added, for example the fire brigade for flood protection.
• The catalogue of requirements must be supplemented by new laws (Energy Transition Act) or requirements from private law contracts (e.g. customers demand climate-neutral process chains).
• The risk assessment must be updated to include natural events and disasters such as hail, storms, tornadoes, floods and forest fires that can have an impact on processes and systems.
• The management assessment must include climate targets and climate impacts.

Climate-related topics with an impact on information security

Taking climate-related changes into account harbours opportunities and risks for companies. If these are taken into account, companies can position themselves more securely for the future.

With their own energy supply, companies can protect themselves against energy shortages. They can rely on wind energy in windy locations or set up a photovoltaic system in sunny locations, thereby securing their own energy supply and reducing energy costs. Applied to the requirements of ISO/IEC 27001, this means more security for maintaining your own processes in the event of power shortages.

Structural measures can reduce the building's energy consumption on the one hand and eliminate weak points in the building on the other. For example, large ventilation shafts can be secured against unauthorised entry and sealed at the same time and a heat recovery system can be installed. A planned drainage system can protect the building from water ingress by reducing the amount of sealed surfaces, separate drainage of wastewater and rainwater and multiple backflow protection devices in the sewerage system. If there is a risk of water ingress, technical and server rooms should not be located in the basement but on a higher floor. These measures have a positive effect on physical building protection in accordance with ISO/IEC 27001.

If a company operates energy-intensive systems, such as a data centre, energy consumption and costs can be reduced by using waste heat. The waste heat can be used to heat the company's own buildings or even fed into local and district heating networks if it is generated in large quantities. This has a positive effect on the climate and financial balance sheet.

In terms of sustainability, the reuse of appliances can be specified. Functional but discarded devices such as laptops and smartphones belonging to employees who have left the company can be returned to the IT pool after refurbishment. This multiple use of mobile devices conserves resources, but entails additional tasks for the ISMS. The refurbished devices must be state of the art and supported by updates. It must be ensured that all data and rights are irrevocably deleted in the event of a change of ownership. Data that is to be reused later must be stored separately. However, storing data consumes energy, which is why sensible erasure concepts, as required by the GDPR and ISO/IEC 27001, must be established. This saves resources and energy.

When companies address the issue of sustainability, they quickly realise that savings can easily be made in the area of business travel. However, travelling and working on public transport, such as trains, requires a mobile working policy. Here, the use of privacy screens on mobile devices should be regulated and awareness of "eavesdropping" on conversations should be raised. If car sharing or a company vehicle pool is used, regulations for the ISMS must also be established. Devices installed in the vehicle, such as navigation systems or hands-free kits, can store personal data and also be available to subsequent users of the vehicle. It must therefore be ensured that every employee can delete all relevant information stored by the vehicle or that the vehicle does not receive this information in the first place, for example by providing every user with a mobile navigation device.

Climate-related disasters also have an impact on the availability of resources such as raw materials, products and personnel. Supply bottlenecks can become impassable due to flooded transport routes, forest fires or low water levels. For the same reasons, delivery delays can occur in your own company, jeopardising project and company goals. Therefore, a geographical spread of suppliers and the availability of different transport routes should be checked. At the same time, transport routes should be kept as short as possible, as the longer the route, the higher the risk of several natural disasters occurring at the same time. People can also be affected by natural disasters. For example, access roads or railway lines may be blocked in the event of flooding, preventing employees from getting to work. In addition, employees who work on a voluntary basis in the event of a disaster may be absent for several days. For this reason, employees should inform their superiors if they are working on a voluntary basis in the event of a disaster so that they can be double-staffed if necessary.

What can we expect?

Companies with one or more management systems must consider climate protection and climate adaptation individually for each system, as each management system has a different focus on the new aspects. Companies that are certified according to ISO 14000 or EMAS must also implement the new aspects in their management systems. If the aspects of climate adaptation and climate impacts are not implemented in the management systems, this can lead to a significant deviation and thus to the withdrawal or suspension of the certificate.

adesso supports the implementation of the new requirements with a wealth of experience and cross-industry expertise. You can find more information about our services on our website.

Would you like to find out more about exciting topics from the adesso world? Then take a look at our previous blog post.