Introduction
On 22 February 2024, International Accreditation Forum (IAF) and the International Organization for Standardization (ISO) published a joint communiqué to highlight the publication of Climate Action Amendments to new and existing ISO management systems standards.
What is Climate Change Amendments
The followings have been added to the Management System Standard
4.1 Understanding the organization and its context.
The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended result(s) of its XXX management system.
Added: The organization shall determine whether climate change is a relevant issue.
4.2 Understanding the needs and expectations of interested parties.
The organization shall determine:
• the interested parties that are relevant to the XXX management system.
• the relevant requirements of these interested parties.
• which of these requirements will be addressed through the XXX management system.
Added: NOTE: Relevant interested parties can have requirements related to climate change.
Expectations on Certified Organisations
Certified organisations should ensure that they have considered Climate Change aspects and risks within the development, maintenance, and effectiveness their own management system(s).
Climate Change, along with other issues, should be determined as relevant or not and if so, considered within an evaluation of risk, within the scope of the management systems standards. Where an organisation operates more than one management system (for example Information Security Management System and Quality Management System), it should ensure that Climate Change, if determined to be relevant, is considered within the scope of each management system standard.
It is noted that some climate change aspects and risks may be of a general nature, independent of the applicable management system scope or the industry (e.g. when related to regulatory compliance or operational adaptability and organizational resilience), while others will be specifically indexed to the requirements of the management system standards, to specific industries (e.g. energy production, agriculture and fisheries) and to characteristics of the organization (e.g. geographical location, nature of its supply-chain or workforce dynamics).
Amended Management System Standard
The followings amended management system standards are related to the CyberSecurity Malaysia’s Management System Certification (MSC) scheme
ISO/IEC 27001:2022
Information security, cybersecurity and privacy protection — Information security management systems — Requirements
ISO 22301:2019
Security and resilience — Business continuity management systems — Requirements
Verification by Certification Body
CyberSecurity Malaysia will verify the implementation of the new requirements starting from 1st July 2024.