Information security and environmental resilience are no longer separate conversations. ISO’s latest update, released just this month, makes that clear.

When most people think about information security, they think about cyber threats like hackers, ransomware, insider risk, and data breaches. Increasingly, that’s only part of the picture.

This month, ISO and IEC published the sixth edition of ISO/IEC 27000, the foundational document for the ISO 27000 family of information security standards. While the update is largely structural, there’s one change that stands out. It reinforces something many organizations haven’t fully connected yet: information security and environmental resilience are becoming part of the same conversation.

The shift worth paying attention to

Information security has always accounted for physical threats. Fire, flooding, power loss, and facility disruptions have long been considered risks to information assets.

The latest revision expands that perspective. Alongside those traditional physical risks, the standard now explicitly references climate change and the broader environmental conditions that can impact facilities, infrastructure, and the systems organizations depend on. It also introduces the idea that environmental and societal responsibility should sit among the principles underpinning an effective information security management system.

That isn’t happening in isolation. In 2024, ISO amended ISO/IEC 27001, the certifiable standard organizations build their ISMS around, to require organizations to consider climate change and environmental conditions as part of understanding the context in which they operate. The 2026 revision to ISO/IEC 27000 is essentially the conceptual framework catching up.

Put those together, and the physical environment your information systems depend on is now part of the information security conversation.

Why this matters for Greenplaces customers

For organizations already investing in sustainability, resilience, or environmental risk management, this isn’t a brand-new capability. You’ve already been thinking about environmental exposure. What’s changing is that your security and compliance obligations are beginning to point in the same direction.

Think about what happens when:

  • A heat wave takes a cloud region or data center offline.
  • Flooding impacts a facility storing critical records.
  • Severe weather disrupts power, telecommunications, or key suppliers.
  • An extreme event interrupts business operations for days.

Historically, we’d label these as business continuity or disaster recovery issues. Today, they’re increasingly viewed as information security risks, because the confidentiality, integrity, and availability of your data ultimately rely on physical infrastructure that environmental conditions can disrupt.

If your organization already understands environmental risk, applying that same lens to your information systems is a much smaller leap than many realize, and it’s one many organizations haven’t made yet.

What organizations should do now

There’s no reason to overhaul your security program simply because an overview standard was updated. There are, however, a few practical steps worth taking.

Treat environmental risk as a real input. Incorporate environmental and physical risks into your next information security risk assessment as meaningful inputs rather than edge cases. Ask where critical systems reside, what infrastructure they depend on, and how those systems would perform under the same environmental scenarios your operations teams are already planning for.

Make your ISO 27001 context genuine. If you’re pursuing or maintaining ISO 27001 certification, make sure your organizational context genuinely reflects your environmental and physical operating conditions. Auditors are increasingly looking for evidence that this evaluation was genuine rather than a box ticked to satisfy a requirement.

Bring both disciplines under one roof. When environmental risk sits with one provider and information security with another, you end up evaluating the same operational risks twice through different lenses. Housing both under one roof keeps those views connected and closes the gaps that open up when they’re handled separately.

The bigger picture

The sixth edition of ISO/IEC 27000 probably won’t generate headlines. But direction matters.

Environmental resilience isn’t the only area where information security standards are evolving. ISO is also expanding guidance around responsible AI governance through ISO/IEC 42001 and developing new standards focused on securing AI systems themselves.

The broader trend is hard to miss. The definition of information security is expanding beyond traditional cybersecurity controls, out to the physical environments our systems operate in and the emerging technologies we increasingly depend on.

Organizations that already take environmental resilience seriously and are building thoughtful AI governance programs aren’t starting from scratch. They’re well positioned to lead while others are still catching up.

One roof for both

This is exactly where Greenplaces brings both disciplines under one roof. We help organizations run sustainability, resilience, trust, and compliance as one connected program, so environmental risk, ISO 27001 readiness, and AI governance strengthen each other instead of living in separate systems with separate owners. The convergence these standards are pointing toward is the program we already build with our customers.

This latest ISO update reinforces that reality. The organizations that recognize the convergence now will be far better prepared for where the standards, and customer expectations, are heading next.

Ready to align your security and sustainability programs?

Contact Greenplaces today for a demo and see how we connect ISO 27001 readiness, AI governance, and environmental risk in one program.

About the Author

Amanda Grady is Solutions Lead for Trust Services at GreenPlaces. She brings over a decade of experience in the technology assurance space at a Big 4 accounting firm, where she helped organizations build and prove out their internal IT controls. She holds a degree in Information Systems Management. Whether the work is SOC 2 readiness, ISO 27001 certification, or AI governance, Amanda’s focus stays the same: building programs that hold up to real scrutiny.

Ready to streamline your emissions reporting and compliance readiness?