Climate change in the ISO 27001 standard
On February 22, the ISO (International Standard Organization) and the IAF (International Accreditation Forum) issued a joint statement on the inclusion of climate change in their management system standards.
This was followed the very next day by updates to a number of standards, including ISO 27001, dedicated to information security, which now includes two references to climate change:
- Clause 4.1, concerning understanding the organization's context, and requiring internal and external factors to be taken into account in developing enterprise security, now ends with "The organization shall determine whether there are any issues arising from climate change."
- Article 4.2, requiring the management system to take into account the expectations of interested parties, now mentions that "Relevant interested parties may have requirements relating to climate change."
The willingness of the international organization to integrate environmental issues into their standards seems to be an adaptation to the issues of the moment, and it's essential to respond to them, but should we stop there?
There are two ways of approaching the subject.
Reacting to change
Firstly, a reactive approach. We are facing major, uncertain climatic changes that are likely to upset our habits, our lifestyles and our constraints in the years to come. The main idea of these articles is to try to cope with them, to anticipate them, to include these changes among the probable threats, during our risk analysis exercises. The risks are indeed multiple, particularly on the physical side:
- Increased risk of fire or breakdown of electricity supply equipment, due to rising temperatures.
- Increased risk of natural disasters (fire, but also floods and large-scale storms).
- Reduced mobility due to climatic disruptions and rising energy costs.
Modern needs, with their increasing reliance on digitalization, are also leading to a growing need for energy and natural resources, fuelling these risks rather than reducing them.
At Memority, a multi-region, 100% Cloud architecture (whether for the Memority platform offered to customers or for our internal information system) addresses some of these issues. On the one hand, by ensuring high active/passive availability across several European regions, thus reducing the risks induced by climate change. Secondly, by relying on the skills and qualifications of datacenter operators to optimize energy management and take account of climatic events.
Finally, article 4.2 asks us to take into account our customers' requirements in the face of climate change. As they have always been, Memority's teams are ready to listen to their customers for all their resilience needs.
Companies will be able to address the standard's recommendations in this way, but isn't this an opportunity to go further?
Preventing change
The second way of approaching this subject is preventively. This is the challenge of our time and of future generations: how can we change our posture and no longer be content with belated and insufficient reactions to climate change? How can we ensure that we control the climatic impact of our activity? How, quite simply, can we ensure our survival? Unfortunately, I can't pretend to answer these questions, but I want to work on them as best I can.
A reasonable and reasoned platform
Having been a CISO in a very large company, and a consultant in others, I've seen just how costly identity and access management can be, not only in time but also in material resources, and therefore in energy.
At Memority, we pool our skills and qualifications to help our customers. The 100% Cloud infrastructure and software architecture organized in microservices enable optimized pooling of resources and avoid hardware oversizing, while maintaining agility and flexibility in the event of scalability. Memority's multi-tenant application architecture enables us to host all our customers on the same physical infrastructure, which is sized according to the load generated by all our customers. This architecture also makes it possible to reduce IT actions, and therefore resource consumption. The platform is upgraded for all customers simultaneously, unlike single-tenant architectures where servers are dedicated and require upgrades for each customer.
Recently, we met a prospect who was single-handedly maintaining the equivalent of half of all Memority servers. Welcoming him onto our platform would mean deploying no new servers or services on Memority, and would have the benefit of eliminating all the servers he uses.
In a fragile climate, our offer is coherent, integrated and efficient. We don't even deploy appliances on our customers' premises!
Avoiding waste and optimizing resources is the first step.
The principles of security, simplification and environmental control are fully aligned with the principles of energy frugality.
European and French positioning
In addition, adopting European and even French sovereignty in the choice of our partnerships and suppliers is not only a matter of data protection, but also of commitment to the climate. Like the logic of short food circuits, using a local player implies a shorter communications infrastructure, fewer intermediate servers, fewer resources and less exposure to risk.
What's more, we're fortunate enough to operate in a country where electricity production is particularly carbon-free.
When we talk about reducing the attack surface in terms of security, we are also talking about a reduction in the resources consumed. Here too, security and climate concerns work in the same direction.
Influential capabilities
Finally, the addition of these two phrases to the ISO 27001 standard gives us leverage to influence our ISO 27001-certified suppliers, so that they too take greater account of the climate aspect.
In conclusion
It's up to each and every one of us to try and make a difference, using our own resources. At Memority, we are committed to combining safety and optimization of resources in the face of climate-related challenges within our perimeter, and to passing on the benefits to our customers.
We can now also rejoice that ISO and IAF have taken this first step in the right direction, with a direct positive impact on our business!
