Is climate change an information security topic?
Climate change in ISO 27001
On February 22nd, the ISO (International Standard Organization) published, jointly with the IAF (International Accreditation Forum), a press release on the addition of climate change considerations to management system standards.
On the next day, this publication was followed by updates of numerous standards, including ISO 27001, dedicated to information security, which is now supplemented by two mentions concerning climate change:
- Article 4.1, which deals with understanding the context of the organization, and requires that internal and external factors be considered in the company’s security, now concludes with “The organization shall determine whether climate change is a relevant issue.”
- Article 4.2, which requires that the expectations of interested parties be considered by the management system, now states that “Relevant interested parties can have requirements related to climate change.”
The international organisation’s desire to include environmental issues into their standards appear to be an adaptation to the challenges of the moment. It is indeed imperative to address them, but should we stop there?
There are two ways of dealing with the subject.
Reacting to change
First, the reactive way. We are facing significant and uncertain climate changes that are likely to change our habits, our way of life and our constraints in the years to come. The main idea of these articles is to try and deal with these changes, to anticipate, to include these changes our threat models, and address them during our risk analysis exercises.
The risks are indeed multiple, especially on the physical side:
- Increased risk of fire or disruption of electrical supply equipment, due to the increase of the global temperature
- Increased risk of natural disasters (fires, but also floods, large-scale weather events
- Hindrance to people’s mobility due to climatic events and increased energy costs
Modern needs, which are increasingly “digital”, also lead to an increasing need for energy and natural resources, fuelling these risks instead of reducing them.
The 100% Cloud architecture of Memority (both the Memority platform offered to customers and our internal information system), multi-region, enables the management of some of these problems. On the one hand, by ensuring active/passive high availability across several European regions, reducing the risks induced by climate change. On the other hand, by relying on the competence and qualification of datacentre operators in terms of energy optimisation management and climate events anticipation.
Finally, the Article 4.2 requires the consideration of our customers’ requirements concerning climate change. As they have always been, Memority’s teams listen to our customers’ needs in terms of resilience.
Companies will certainly be able to address the norm’s recommendations this way, but couldn’t we take an opportunity to go further?
Preventing change
The second way to deal with this subject is the preventive way. It is the challenge of our time and the generations to come: how can we change our posture and no longer settle with belated and insufficient reactions to climate change? How can we ensure that we control the climate impact of our activity? How do we ensure survival, in a nutshell? Unfortunately, I can’t pretend to answer these questions, but I want to work on them the best I can.
A reasonable and reasoned platform
Having been a CISO in a very large company, having been a consultant in others, I have witnessed how expensive identity and access management can be, not only in terms of time but also in terms of material resources, and therefore energy.
At Memority, we mutualize and offer our skills and qualifications to help our clients as well. The 100% Cloud infrastructure and the software architecture organized in micro-services allows for optimized resource pooling and avoids hardware oversizing, while keeping agility and flexibility in case of upscaling. Memority’s multi-tenant architecture at the application level allows us to accommodate all our customers on the same physical infrastructure, which is sized in accordance to the load generated by all customers. This architecture also helps reducing IT actions and therefore resources consumption. Therefore, a version upgrade is conducted on the platform for all customers simultaneously, unlike single-tenant architectures where the servers are dedicated and require a version upgrade for each client.
Recently, we have met a prospect company who manages on premise the equivalent of half of all Memority servers. Welcoming them to our platform would not induce the deployment of any new server/service on Memority’s side, while having the benefit of removing all the servers they use.
In a fragile climate context, our offer is coherent, integrated, and efficient. We don’t even deploy a single appliance on our customers’ premises!
Avoiding waste, optimising resources, that’s already a first step.
The principles of safety, simplification, and control of one’s environment are fully aligned with the principles of energy frugality.
A European and French position
Assuming choices of European and even French sovereignty, when choosing our partnerships and suppliers, is not only a matter of data protection but also of commitment to the climate. Not unlike the logic of local food supply, using a local agent implies a shorter communication infrastructure, fewer intermediary servers, fewer resources and smaller risk exposure.
We are also fortunate to operate in a country where electricity production is particularly carbon-free.
In information security, when we’re talking about decreasing the attack surface, we are also talking about a decrease in the consumed resources. Here as well, security and climate concerns are working in the same direction.
Influencing capabilities
Finally, the addition of these two sentences to the ISO 27001 norm gives us leverage to act with our ISO 27001 certified suppliers, so that they too take the climate considerations more into account.
In Conclusion
It is up to each of us to try to work positively, with our own means. At Memority, we are committed to ensuring that information security and resource optimization go hand in hand in the face of climate changes, within our perimeter, and that our customers benefit from this.
We can now also rejoice that ISO and IAF have taken this first step in the right direction, with a direct positive impact on our business!
-> To find out more about the benefits of the Memority platform: click here
