What if I told you that by being good at Information Security, you can help save the planet. Would you believe me? 

What if I told you that you can use some of the controls you have in ISO27001 to show that you not only care about your reputation, but you also care about our future generations?

You might think this can’t be true, and that Cybersecurity has nothing to do with the environment. However, you’d be wrong.

Allow me to explain.

Planet Vs Plastic

If you didn’t know already, you should be aware that there is a global initiative called ‘World Earth Day’, which takes place on the 22nd April. This year the theme is ‘Planet Vs Plastic’, with the official site stating that the theme “unites students, parents, businesses, governments, churches, unions, individuals, and NGOs in an unwavering commitment to call for the end of plastics for the sake of human and planetary health, demanding a 60% reduction in the production of plastics by 2040 and an ultimate goal of building a plastic-free future for generations to come.” 

Of course, this is a huge undertaking and something that we will only achieve if we all commit to playing our part.

So what can you do? Well, if you’ve already committed to a programme of information security like ISO27001:2022, then you’re in an excellent position to delve a little deeper into the controls you already have, and see how we can save your reputation AND the planet too!

A5.11 – Return of Assets

As you know, this controls requires that personnel (and other interested parties) return all the organisations assets in their possession upon change or termination of their employment, contract or agreement.

This makes perfect sense in terms of security, and financial asset management. But by returning and reusing the assets, you are doing your part to reduce your environmental impact.

A5.14 – Information Transfer

In this control you are expected to implement rules and procedures related to how information is transferred between you and other organisations.  Although you may do this in a secure way, do you do this in an environmentally friendly way? Do you use USB drives that are discarded or later disposed of in an uncontrolled manner?

What if, as part of developing your information transfer rules, you stated that the use of USB drives is not allowed? Or that if they are, they are to be returned to you for reuse for safe destruction?

A5.19 - Information security in supplier relationships

You already developed processes and procedures to manage the information security risks associated with the use of suppliers' products or services, so there must be an onboarding process for new suppliers. 

Perhaps you have developed a simple questionnaire for them to complete and asked questions about their credentials, including what their security credentials are.

But do you ask about their green credentials? What about the location of the supplier? Are you shipping in products or services from overseas, or locations that would negatively affect the environment? Are there more locally sourced suppliers you could use? Is this even a factor in your decision process? Perhaps it should be.

A5.23 - Information Security for use of Cloud Services

While we’re talking about suppliers, we can’t forget our Cloud Service providers. Now you might think that using the Cloud is an environmentally friendly service, but not all Clouds are built the same. 

You might be surprised to hear that the 'Cloud' consumes a lot of power to operate efficiently. Just think how hot your laptop or PC is after a few hours of running. Now multiply that a million times over, as servers sit in buildings the size of a football field. How much energy do you think it takes to cool them?

So what can you do? Look for Cloud providers who are taking steps to reduce their carbon emissions and footprint, for example, by signing up to the Climate Pledge. This is an initiative that was co-founded by Amazon, and encourages companies, including Cloud providers, to achieve net-zero carbon emissions by 2040.

At the time of writing, 492 organisations have signed up to the pledge, but is your Cloud provider one of those on the list? If you’re using Microsoft, or Amazon, then you’re in luck. But what if you’re not? What about the private Cloud provider you’re using? What are they doing to reduce their Cloud impact?

A7.14 - Secure disposal or re-use of equipment

We already discussed this briefly above, when you developed your processes for the return of assets when someone leaves, or changes role.  However, what happens when a device needs to be destroyed because it has come to the ‘end of life’?

Let’s be honest, many of us upgrade our devices in favour for the latest version. With promises of better cameras, more storage or faster processing, mobile phones are upgraded by many people every couple of years. But what happens to your old device? Is it destroyed or reused securely and in a way that considers the impact on the environment? 

Could you donate your old equipment to an organisation that will find a good home for it? (after it has been erased securely of course!). If you decide to have the device destroyed by a third party, how do they destroy it? Is the plastic reused? Have you checked what credentials they have? This again leads us back to how we manage our suppliers, which we discussed in ISO27001 Annex A control A5.19 (Information Security in supplier relationships).

One Final Point about Climate change.

Standards like ISO27001 help you improve your security and that’s what it’s there to do. But recently you may have received communication from your certification body about a subtle, but important change to the Information Security Management System (ISMS).

The change is to clause 4.1, Understanding the organisation and its context, which now includes the line “The organisation shall determine whether climate change is a relevant issue”.  The change continues, with clause 4.2, understanding the needs and expectations of interested parties, now including the line “Relevant interested parties can have requirements related to climate change”.

This indicates to us that ISO27001 is increasingly interested in the impact that security can have on the environment. So if the standard is moving this way, then so should you.

But by thinking a little deeper about the controls, you find that this standard can also improve quality in your products and services, and also help reduce your impact on the environment. This is a fantastic way to show continuous improvement in your compliance programme. Something which many businesses struggle to do.

By managing suppliers better, reusing laptops, mobile devices, keycards and other materials, you can help improve your security, save money and the planet too!

You are acting responsibly not only in role as a security professional, but someone who cares about the planet.

That’s got to be a goal for us all to aim for, right?

More questions?

If you’re like to know more about ISO27001 and how it can help you demonstrate your green credentials, please do get in touch. We also have an ISO27001 FAQ section on our site, and we’ve even published a book on how to implement ISO27001, “The Real Easy Guide to ISO27001” which is available on Amazon.

True to our desire to help the environment, you can order it on Kindle too.