Climate Change and ISO 27001: The February 2024 Amendment Nobody Told You About
In February 2024, ISO published Amendment 1 to ISO/IEC 27001:2022, adding climate change to the standard: Clause 4.1 now requires you to determine whether climate change is a relevant issue for your ISMS, and Clause 4.2 notes that interested parties can have climate-related requirements. It was a coordinated change across roughly 31 management system standards, not an ISO 27001-specific rewrite. You don't need recertification — per the IAF/ISO joint communiqué, the amendment is picked up at your next audit — and you're allowed to conclude climate change is not relevant, as long as you can show you genuinely considered it. For most companies this means a documented paragraph in the context analysis, a look at climate-driven availability and physical risks in the risk assessment, and a line in the management review. An hour or two of honest work — but skipping it entirely is now a nonconformity.
If your company is ISO 27001 certified — or working toward it — the standard you're being audited against changed in February 2024, and there's a good chance nobody told you. Not a new version, not a transition period, no headlines: a one-page amendment, published simultaneously across dozens of ISO management system standards, that added two sentences about climate change.
Two sentences that contain the word "shall." Which, in ISO language, means auditable.
What actually changed
In February 2024, ISO published Amendment 1 to ISO/IEC 27001:2022. It touches exactly two places, both in Clause 4 ("Context of the organization"):
- Clause 4.1 (Understanding the organization and its context) gains a new requirement: the organization shall determine whether climate change is a relevant issue.
- Clause 4.2 (Understanding the needs and expectations of interested parties) gains a note: relevant interested parties can have requirements related to climate change.
That's the entire amendment. The standard is still ISO/IEC 27001:2022 — you don't buy a new edition, and there's no version migration like the 2013→2022 transition. But the requirement in 4.1 is a genuine "shall," which means an auditor can raise a nonconformity if you can't show you addressed it.
Why an information security standard suddenly cares about the climate
This wasn't an ISO 27001 decision. Following ISO's London Declaration commitment on climate action, ISO rolled the same two changes out as a coordinated amendment across roughly 31 management system standards at once — ISO 9001 (quality), ISO 14001 (environmental), ISO 22301 (business continuity), ISO 27001, and the rest of the harmonized-structure family. The intent, spelled out in the joint IAF/ISO communiqué that accompanied the amendment, is that every management system should consider whether climate change affects its ability to achieve its intended results.
So if you also hold ISO 9001 or ISO 22301, the same amendment applies there too — and you can handle them with one analysis.
The part that matters: "determine whether" — not "declare that"
Read Clause 4.1's new sentence carefully. It doesn't say climate change is a relevant issue for your ISMS. It says you shall determine whether it is. Those are very different obligations:
- You are required to consider climate change in your context analysis and reach a documented conclusion.
- You are fully allowed to conclude it is not relevant — a five-person SaaS company running entirely on a hyperscaler cloud can plausibly reach that conclusion for many risk categories.
- What you cannot do is have nothing: no mention, no rationale, no evidence the question was ever asked. That's the nonconformity.
Per the IAF/ISO joint communiqué, existing certificates remain valid and no recertification or re-audit is required because of the amendment. It gets picked up in the normal cycle: your next surveillance audit, recertification, or initial certification will simply include it. Auditors have had it in their checklists since 2024 — which is exactly why it's worth handling before they ask, not after.
Is climate change actually relevant to an ISMS?
More often than the two-sentence amendment suggests. Information security is confidentiality, integrity, and availability — and availability is where climate shows up. Places to look honestly:
- Availability and business continuity. Extreme weather affecting data centers, office infrastructure, or power supply feeds directly into ICT readiness for business continuity (control A.5.30). If your region has seen flooding, heatwaves that strain cooling, or grid instability, that belongs in the risk assessment.
- Physical security (A.7). The physical and environmental controls in Annex A already contemplate natural threats — the amendment just asks whether the assumptions behind them still hold.
- Supply chain. Your cloud provider, your co-location facility, your internet providers: their climate exposure is your availability risk. For most startups this is the honest answer to "where would climate actually hit us."
- Interested parties (the 4.2 note). Enterprise customers with ESG procurement requirements, EU customers in scope of CSRD reporting, investors with sustainability mandates — if any of them impose climate-related expectations on you, Clause 4.2 wants that recorded.
What to actually do (it's an hour or two, honestly)
This is one of the rare compliance changes where the proportionate response really is small:
- Update your context-of-the-organization document (the Clause 4.1 analysis) with a short section: did we consider climate change, what did we conclude, and why. A paragraph is fine if the reasoning is real.
- Reflect the conclusion in the risk assessment. If relevant: add the climate-driven risks (availability, physical, supply chain) with treatment decisions. If not relevant: the documented rationale in the context analysis is your evidence.
- Check your interested-parties analysis for climate-related requirements from customers, regulators, or investors, and record any you find.
- Mention it in the next management review, so there's a dated record that leadership saw the conclusion.
What auditors will ask for
The evidence set is correspondingly modest: the updated context analysis showing climate change was considered, the risk register entries (or the documented not-relevant rationale), the interested-parties record, and ideally the management review minutes referencing it. That's it. This is Clause 4 territory — the management-system clauses where, in our experience, most ISO 27001 audit trouble actually starts — so the artifacts live in your ISMS documentation, not in your infrastructure.
If you're preparing for an audit cycle, fold this into your internal audit checklist now: verifying the climate consideration exists takes an auditor thirty seconds, and it's exactly the kind of easy finding they open with.
The bottom line
Amendment 1:2024 is the smallest change ISO 27001 has seen — and the easiest nonconformity to avoid. You're not being asked to become an environmental company; you're being asked to spend an hour determining, honestly and on paper, whether climate change affects your security posture. Most content about ISO 27001 was written before February 2024 and never mentions it. Now you know.
Frequently asked questions
Does the ISO 27001 climate change amendment require recertification? +
No. According to the joint IAF/ISO communiqué that accompanied Amendment 1:2024, existing ISO 27001 certificates remain valid and no re-audit or recertification is triggered by the amendment. The new requirement is simply picked up in your normal audit cycle: your next surveillance audit, recertification audit, or initial certification will include a check that your organization determined whether climate change is a relevant issue (Clause 4.1) and considered climate-related requirements of interested parties (Clause 4.2). The practical implication is to update your context analysis before that next audit rather than waiting for the finding.
What exactly did Amendment 1:2024 change in ISO 27001? +
Amendment 1 to ISO/IEC 27001:2022, published in February 2024, makes exactly two changes, both in Clause 4 ("Context of the organization"). Clause 4.1 gains a new requirement: the organization shall determine whether climate change is a relevant issue. Clause 4.2 gains a note stating that relevant interested parties can have requirements related to climate change. Nothing else changes — no new controls in Annex A, no new edition of the standard, and no transition period. Because the 4.1 addition uses "shall," it is auditable: an organization with no evidence of having considered climate change can receive a nonconformity.
Can we conclude that climate change is not relevant to our ISMS? +
Yes. Clause 4.1 as amended requires you to determine whether climate change is a relevant issue — not to declare that it is. A small SaaS company running entirely on hyperscaler cloud infrastructure can legitimately conclude that climate change is not a material issue for many of its risk categories. What the amendment does not allow is silence: you need documented evidence that the question was genuinely considered — typically a short section in your context-of-the-organization analysis stating what you evaluated (availability, physical, supply-chain, and interested-party angles) and why you reached your conclusion. A defensible "not relevant, and here's why" passes an audit; an absent answer is a nonconformity.
Which other ISO standards received the 2024 climate change amendment? +
The climate change amendment was a coordinated change across roughly 31 ISO management system standards, published simultaneously in February 2024 as part of ISO's London Declaration commitment on climate action. The same two additions — the Clause 4.1 "shall determine whether climate change is a relevant issue" requirement and the Clause 4.2 interested-parties note — went into ISO 9001 (quality), ISO 14001 (environmental), ISO 22301 (business continuity), ISO 45001 (occupational health and safety), ISO/IEC 27001, and the rest of the harmonized-structure family. If your organization holds multiple certifications, one climate-consideration analysis can serve all of them, provided each management system's context documentation references the conclusion.
What evidence do auditors expect for the ISO 27001 climate change requirement? +
The evidence set is small and lives in your ISMS documentation, not your infrastructure. Auditors typically look for: (1) an updated context-of-the-organization analysis (Clause 4.1) showing climate change was considered and what was concluded; (2) risk register entries for any climate-driven risks you identified — availability, physical security, or supply-chain exposure — or, if you concluded climate change is not relevant, the documented rationale; (3) an interested-parties record (Clause 4.2) noting any climate-related requirements from customers, regulators, or investors; and (4) ideally, management review minutes showing leadership saw the conclusion. Verifying this takes an auditor minutes, which is why it's one of the easiest findings to prevent.