ISO/IEC 27001:2022 – October 2025 Deadline: Have You Considered the Environmental Requirement?

June 11, 2025

ISO27001:2022 Audit Readiness

As we edge closer to the 31 October 2025 deadline for transitioning from ISO/IEC 27001:2013 to the 2022 version, many organisations are rightly focusing on updated controls and audit readiness.


But here’s a crucial question often overlooked:

Have you considered the environmental requirement introduced in the latest standard?


In February 2024, ISO released Amendment 1 to ISO/IEC 27001:2022. It formally integrates climate change considerations into your ISMS requirements. While this isn’t about sustainability reporting or carbon tracking, it is a pivotal shift in how we view information security resilience.


What’s Changed?

Two key clauses now require you to factor in climate risk:


  • Clause 4.1 – Context of the Organization:

You must evaluate whether climate change is a relevant issue for your ISMS.

  • Clause 4.2 – Needs and Expectations of Interested Parties:


You need to assess whether your clients, regulators, or partners have environmental or climate-related concerns that could affect information security.


This “comply or justify” approach means you must document your consideration, even if you determine climate is not relevant.

Practical Implications


If climate change is relevant to your context (e.g. physical risks to data centres, impact on energy infrastructure), you'll need to:


  • Include climate risks in your risk register
  • Update your business continuity plans
  • Strengthen Annex A.7.5 controls (physical/environmental security)
  • Discuss environmental relevance during management review
  • Be prepared to show evidence during your transition audit


Your ISO/IEC 27001:2022 Climate Compliance Checklist


  • Consider climate change in Clause 4.1
  • Review interested party requirements under Clause 4.2
  • Integrate climate-related risks and mitigations
  • Review fire/flood/electrical risk under Annex A
  • Prepare documentation for external audit


Final Thoughts

You don’t need to be a climate expert to comply. But you do need to treat climate change like any other risk, evaluate it, record your position, and take steps if needed.


At Cybergen, we help organisations not only prepare for the ISO/IEC 27001:2022 transition but navigate emerging requirements like this with confidence.

ISO27001 Ready? Find Your Compliance Gaps Before Auditors Do


Don’t wait for an audit to uncover gaps in your ISMS. Our ISO27001 specialists help you identify nonconformities, strengthen documentation, and align with the 2022 standard, including the latest environmental requirements.


Get ahead of the audit, contact us today for an ISO27001 readiness assessment.

Ready to strengthen your security compliance and get audit ready?  Contact us today for more information on our ISO Consultancy Services.


Let's get protecting your business


Blue shield with a padlock icon in a digital background with binary code, representing cybersecurity.

From Compliance-Driven Security to Intelligence-Led Defence

February 23, 2026
Why compliance-driven security fails in 2026. Learn how attackers exploit identity and attack paths, and how intelligence-led penetration testing reduces real cyber risk
Woman presenting AI concept on screen, pointing with a laptop. Blue tones, glowing

How AI Is Transforming Cyber Attacks in 2026, And What CISOs Must Do About It

February 21, 2026
How AI is transforming cyber attacks in 2026, from deepfake phishing to adaptive malware — and what CISOs must do now to reduce risk and strengthen resilience.
Laptop with a fingerprint scan graphic overlaid, symbolizing secure access.

Why Penetration Testing Fails (and What Good Looks Like in 2026)

February 17, 2026
Why traditional penetration testing fails in 2026, and what effective, risk-driven testing really looks like. Discover how to move beyond CVSS scores and vulnerability lists to attacker-focused attack paths, identity compromise, lateral movement, and measurable risk reduction that actually improves security outcomes.
Person wearing VR headset, text

The Future of Cybersecurity: Navigating the Evolving Threat Landscape in 2026 and Beyond

February 11, 2026
Explore the future of cybersecurity in 2026. Discover emerging threats, evolving attack methods, and how organisations can stay resilient in a changing threat landscape.
Man looking at a digital interface with holographic building model, graphs, and code overlays, indoors.

What Cybergen’s Threat Intelligence Reveals About How Attacks Really Start

February 11, 2026
Cyber threat intelligence reveals how modern ransomware attacks really start: credential abuse, trusted access, and quiet pre-positioning long before impact.
Red and blue digital graphic with the word

If Someone Compromised One of Your Employees Tomorrow, How Far Could They Get?

February 5, 2026
CREST pen testing reveals what really happens after initial compromise. Learn how attackers escalate privileges, move laterally, and how testing exposes real risk.
Notepad++ code editor window with C++ code and Notepad++ logo with a gecko.

Notepad++ Update Infrastructure Hijacked in Targeted Supply Chain Attack

February 3, 2026
Notepad++ update infrastructure was hijacked in a targeted supply-chain attack. Learn what happened, who was behind it, and why it matters.
Hand holding magnifying glass over digital warning sign on screen.

Your Risk Register Isn’t Your Risk: Why “High Severity” Vulnerabilities Keep Getting Ignored (and Exploited)

February 1, 2026
High-severity vulnerabilities don’t equal real cyber risk. Learn why CVSS-driven risk registers fail, how attackers exploit exposure, and how CTEM reduces real-world risk.
Hand touching a glowing security shield interface with a binary code background.

Cybersecurity in 2026: Why Strong Controls Still Fail, and How Threat-Led Security Closes the Gap

February 1, 2026
Breaches persist despite audits and investment. Learn how threat-led security turns cyber activity into prioritised risk reduction with threat intelligence, MDR and CTEM.