The world of ISO standards is set for exciting changes in 2025 and beyond, with updates to several key standards that impact industries worldwide.
2024 was a big year for ISO, especially with the appointment of Filiz Elmas-Arslan, Head of Strategic Development for Artificial Intelligence (AI) at DIN, as an ISO Fellow. This appointment is about driving forward international AI standardisation, which will likely lead to a bigger focus on ISO’s standards related to managing AI risks (such as ISO/IEC 42001:2023), integrating these standards into the wider landscape of management systems and risk standards.
In addition, we’ve seen a stronger focus on Environmental, Social, and Governance (ESG) principles. In February 2024, updates around climate change were introduced to management systems standards (MSS), and ISO continues to grow their focus on Environmental, Social and Governance (ESG) principles. This focus is reflected in the release of IWA 48:2024 – Framework for implementing ESG principles.
Looking ahead, ISO 9001, ISO 45001, ISO 31000, and ISO 22000 have started their review processes, but they’re all at different stages of development. ISO 14001 will see some amendments, though it won’t undergo a complete revision. On the flip side, ISO/IEC 27001 and ISO 22301 aren’t currently under review, but their respective technical committees are actively working on multiple projects related to these standards.
ISO 9001 – Quality management systems
The review of ISO 9001 is ongoing, currently at the committee draft (CD) stage. Initially, the revised standard was expected to be released by December 2025, but due to some changes in the Working Group and extensive discussions, it has been pushed back to an anticipated date of September 2026.
Here’s what we’re expecting:
- Additional requirements related to climate change are expected to be incorporated, continuing the work started with the February 2024 amendment.
- Updates will reflect changes to the Harmonised Structure for MSS and results from ISO’s 2020 Customer Survey.
- We’re expecting CD2 in early 2025 for more review, with the Draft International Standard (DIS) likely coming in July 2025. Review and discussion are expected through to March 2026, with the Final DIS (FDIS) released in April 2026 with discussion and voting expected until June 2026.
- The update isn’t expected to be a major rewrite of ISO 9001 but aims to adapt it to the current business environment. Key areas of focus will include organisational resilience, supply chain management, change management, sustainability, product quality, and delivery reliability. More guidance will be provided on risk and opportunity management (clause 6.1), organisational knowledge (clause 7.1.6), and planning of changes (clause 6.3).
- The revisions will also consider the UN’s Sustainable Development Goals (SDGs) and ISO’s commitments to embed these into their standards, which are outlined in ISO/UNDP PAS 53002:2024.
ISO 14001 – Environmental management systems
With the growing importance of ESG, ISO 14001 is being reviewed for a significant amendment (AMD 2), likely arriving in late 2025. While the changes will be considered an amendment rather than a full revision, they will still be quite substantial.
Here’s a preview:
- Expect a stronger focus on adopting a life cycle perspective when identifying and assessing an organisation’s aspects and associated impacts. We expect the language will shift from “consider a life cycle perspective” to something more directive.
- There will also be a deeper focus on greenhouse gas emissions and climate change adaptation, although it won’t go as far as ISO 14090 – Adaptation to Climate Change.
- ISO 14001 will align more closely with the revised Harmonised Structure, including the addition of clause 6.3 Planning of Changes to ensure management system changes are properly managed and that they consider how to maintain the integrity of the management system, the availability of resources for the change, and the allocation or reallocation of responsibilities and authorities to ensure that changes are carried out effectively.
- Terminology updates are coming too, such as replacing “outsourcing” with “externally provided,” further aligning ISO 14001 with ISO 9001.
UPDATE – ISO released the draft amendments on 4 February 2025, introducing several key changes:
- Updates to the introductory sections clarify the standard’s intent and emphasise the growing importance of effective environmental management in influencing other operational areas, such as financial performance and health and safety objectives.
- Restructuring of Clause 6.1 (Actions to address risks and opportunities): Provides additional clarification on identifying and assessing risks and opportunities affecting the EMS, their relation to environmental aspects and impacts, and the environmental impact of emergency situations. A new draft note in Clause 6.1.2 (Environmental aspects) offers further guidance on considering a life cycle perspective.
- New Clause 6.1.4 (Risks and opportunities): Requirements previously in Clause 6.1.1 are now moved here. Additionally, Clause 6.1.4 (Planning action) is renumbered as Clause 6.1.5.
- Addition of Clause 6.3 (Planning and managing changes): Aligns with the harmonised structure and guides organisations in implementing EMS changes in a planned manner.
- Restructure of Clause 9.3 (Management review): Now includes distinct clauses for management review inputs (9.3.2) and management review outputs (9.3.3).
- Restructure of Clause 10:
- Clause 10.2 (Nonconformity and corrective action) becomes Clause 10.1.
- Clause 10.3 (Continual improvement) becomes Clause 10.2, incorporating some requirements from the original Clause 10.1.
- Language adjustments: The majority of changes in the draft amendment relate to small changes in language, such as:
- “Maintained as documented information” is now “be available as documented information.”
- “Fulfil its compliance obligations” is now “meet its compliance obligations.”
Additional refinements are included to enhance clarity and consistency throughout the standard.
The draft is open for comments until 28 April 2025.
ISO 45001 – Occupational Health and Safety management systems
An approved proposal to revise ISO 45001 is in the early drafting stages by the Technical Committee. While specific details are scarce, the revision may include:
- Updates to align with the revised Harmonised Structure, especially incorporating the ‘Planning of Changes’ clause (6.3). This change, similar to the update to ISO 14001, will require organisations to ensure that changes to the management system are implemented in a planned and controlled manner and that they consider how to maintain the integrity of the management system, the availability of resources for the change, and the allocation or reallocation of responsibilities and authorities to ensure that changes are carried out effectively. This is different to ISO 45001:2018’s clause 8.1.4 Management of change, which focuses more on changes to the organisation’s operations that do or may impact the health and safety of workers.
- Changes in terminology, including potentially shifting from “outsourcing” to “externally provided” and updating clause 6.1.3 from “Legal requirements and other requirements” to “compliance obligations” to align ISO 45001 with other MSS.
- There may be further updates regarding risk and opportunities, as well as change management to clarify the intent of each of these clauses.
- Another area of potential focus includes the calibration of monitoring and measuring equipment, which have minimal specification in ISO 45001:2018’s Monitoring, measurement, analysis and evaluation clause (clause 9.1). While this has not been confirmed by the Technical Committee, we expect it may align more with the level of detail included within ISO 9001’s clause 7.1.5 Monitoring and measuring resources.
- We may also see further updates to ISO’s commitments in relation to the UN SDGs. This may include additional requirements for organisations to consider the health and safety implications of climate change related matters on their workers, such as the impacts of rising temperature or weather events (also, see updates on ISO/AWI PAS 45007 below).
- There also may be increased requirements in the revision on psychological health and safety and the management of psychosocial risks, incorporating some of the guidance already provided in ISO 45003 to a Type A or certifiable standard. This may also include additional consideration of diversity characteristics, aligned with ISO’s further commitments around diversity and inclusion, and the ability of health and safety management systems to improve health and wellbeing, rather than focusing primarily on harm minimisation.
The full release of ISO 45001’s updated version is not expected until at least late 2027.
Other updates to standards in the 45000 series include:
- ISO/AWI PAS 45007 – Occupational Health and Safety Management – OH&S risks from climate change and climate action is in the early stages of development. A new project has been registered to create a working draft of the standard for further review, development, and discussion by the technical committee and working group. The standard is expected to provide guidance to organisations for assessing and managing the risks associated with climate change to workers.
- ISO/WD 45008.2 – Occupational health and safety management – Guidelines for remote working has had its second working draft study initiated and is open to comments from the working group and technical committee. The standard is intended to provide guidance for organisations with remote workers to promote their health and safety, as well as work-life balance. It is intended for those workers that perform remote work on a recurring basis (e.g., fly in fly out workers, sustained work from home arrangements, etc.), rather than ad hoc offsite work or business trips.
- ISO/CD 45010 – Menstruation, menstrual health, and menopause in the workplace – Guidance is currently at the committee draft stage, with comments on the current CD having closed in November 2024. The standard will provide guidance on developing policies and practices that are supportive of the menstruation, menstrual health and peri/menopause experiences of employees in the workplace. If the comments from the previous round are accepted by the working group, the CD should be approved for registration as a DIS and continue development.
There are no currently published release timeframes for these three standards from ISO.
ISO 22301 – Business Continuity management systems
Since ISO 22301 Security and resilience – Business Continuity management systems – Requirements was most recently revised in 2019, no further update or revision has been announced. However, the security and resilience technical committee (ISO/TC 292) is developing supporting standards and guidelines in the 22300 series which are at different stages, from an approved work item through to draft international standards. Here’s some of what’s in the pipeline:
- ISO/WD 22316 Security and resilience – Organisational resilience – Guidelines is an update to the 2016 revision of ISO 22316 and aims to provide industry- and organisation-agnostic guidance to enhance organisational resilience to threats and disruptive events.
- ISO/WD 22333 Security and resilience — Business continuity management — Guidance on business continuity management system (BCMS) processes will provide a process reference model (PRM) for a business continuity management system aligned with ISO 22301, which will meet the criteria defined in ISO/IEC 33004 for process reference models and further supports the implementation of ISO 22301:2019.
- ISO/CD 22354 Security and resilience — Community resilience — Guidelines to develop a local resilience capability to enhance societal resilience to disruption will provide guidelines aimed at local government on establishing and managing cross-sector partnerships for societal resilience to disruptions arising from major emergencies, disasters, or crises.
- ISO/DIS 22366 Security and resilience — Community resilience — Framework and principles for energy resilience will outline a framework for energy resilience that is aligned with the terminology of ISO 22300. It will outline the organisational attributes for an energy supply chain required to achieve energy resilience for communities and build on the concept of energy resilience for organisations to reduce any unexpected adverse impacts on an energy supply chain.
- ISO/DIS 22372 Security and resilience — Community resilience — Guidelines for resilient infrastructure will provide guidance for developing, implementing, monitoring and improving infrastructure resilience to help ensure the continuity and effective outcomes of critical services.
ISO/IEC 27001 – Information Security management systems
Having been updated in 2022, ISO/IEC 27001 is the most recently updated standard we regularly train in. There are no current announcements for a revision of ISO/IEC 27001, beyond the climate change amendment in February 2024. Typically, following the release of a standard, its next review will be in 5 years, so we expect that the earliest that ISO/IEC 27001 will enter its next formal review period will be in late 2027.
This doesn’t mean that the technical committee (ISO/IEC JTC 1/SC27) will just be twiddling their thumbs until the review! They’re an extremely active technical committee, and currently have almost 70 standards and guidelines in various stages of development. Many of the standards are very technical in nature or relate to specific information security controls, and we certainly won’t list them all here, but some of the key ones in development include:
- ISO/IWC AWI 27003 Information technology — Security techniques — Information security management systems — Guidance has been approved to be registered as a work programme to update the guidance provided in ISO 27003:2013 to align with the updated requirements and controls of ISO/IEC 27001:2022 and ISO/IEC 27002:2022. ISO/IEC CD 27000 Information technology — Security techniques — Information security management systems — Overview and vocabulary is also under review.
- ISO/IEC WD 27004 Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation is at the working draft stage and will update the guidance provided in its 2016 version to align to the 2022 requirements of ISO/IEC 27001 and ISO/IEC 27002. Many other standards within the 27000 series (e.g., 27008.2, 27017, 27018, 27024, 27028, and 27031) are in a similar boat.
- ISO/IEC DIS 15408-1 through 15408-5 Information security, cybersecurity and privacy protection — Evaluation criteria for IT security will revise the 2022 versions of the series and provide guidance to assist organisations to effectively evaluate IT security and the security properties of IT products and will be further supported by ISO/IEC DIS 18045.
- ISO/IEC DIS 19896-1 through 19896-3 Information security, cybersecurity and privacy protection — Requirements for the competence of IT security conformance assessment body personnel revises the 2018 version of the ISO 19896 series, and will provide conformity assessment bodies (a.k.a., certification bodies) with an updated set of competency requirements for the auditors and other personnel involved with undertaking information security audits to ISO/IEC 27001:2022.
ISO 22000 – Food Safety management systems
A work item has been approved to review and revise ISO 22000, with ISO/AWI 22000. Little is currently known about this revision; however, it will likely align its terminology and requirements with the revised Harmonised Structure. There have been updates in recent years to the Codex Alimentarius, published by the Food and Agriculture Organisation and Work Health Organisation of the United Nations which have increased the focus on an organisation’s food safety culture, so we may see these updates also reflected in ISO/AWI 22000.
Additional standards for food safety overseen by ISO/TC 34/SC 17 are also under review and at the Draft International Standard stage and include the various standards which provide guidance on prerequisite programmes on food safety, including for food manufacturing, catering, food packaging manufacturing, transport and storage, feed and animal food production, retail and wholesale, and requirements common for food, feed, and packaging supply chain. Further updates are expected to bring ISO 22000 in line with evolving global food safety trends, including a stronger focus on food safety culture.
ISO 31000 – Risk Management
When ISO 31000 was reviewed in 2023, it was confirmed at the time there was no plan to review or revise the standard. However, ISO revised this decision in October 2024 and have approved a work programme for the technical committee to commence a review and update of ISO 31000 with ISO/AWI 31000. There is no known timeframe for when we should expect the update to ISO 31000 to be released, however given how early it is in development, a release before late 2027 is unlikely.
An important distinction between ISO 31000 and the MSS discussed above is that ISO 31000 does not provide requirements for a risk management system, but rather guidance on the principles, framework, and processes needed to manage risk that can be embedded and integrated within other management systems, and so it is not aligned with the Harmonised Structure.
And that’s a wrap!
The world of standards is evolving rapidly. ISO has plenty on their agenda for 2025 (and beyond) to ensure they stay up to date with advancements both in technology and society. Stay tuned for further updates as the revisions and new standards become closer to being published.
Let us know which updates you’re most excited about, and if you want to get ahead of the curve, enrol in our training today!
The ISO standards review is typically a 7-step process:
- Preliminary stage: Determines whether a revision or review of the standard is required
- Proposal Stage (AWI – Approved Work Item): A new standard or revision proposal is approved, and work officially begins.
- Preparatory Stage (WD – Working Draft): Initial drafts are prepared by the working group, which includes experts from relevant industries.
- Committee Stage (CD – Committee Draft): The draft is reviewed by the committee members, and feedback is collected to refine the standard.
- Enquiry Stage (DIS – Draft International Standard): The refined draft is shared for public enquiry, allowing ISO members to comment and vote.
- Approval Stage (FDIS – Final Draft International Standard): The final draft is prepared after addressing all comments from the DIS stage. It undergoes a final vote.
- Publication Stage: The standard is published as an official ISO standard after successful approval.
Glossary:
- AWI (Approved Work Item): The stage where a new standard or revision proposal is formally approved.
- WD (Working Draft): The initial drafts developed by the working group.
- CD (Committee Draft): A version reviewed by the committee, open for comments.
- DIS (Draft International Standard): A draft available for public comment and voting.
- FDIS (Final Draft International Standard): The final draft prepared for the last voting round before publication.
This article was updated on 5 February to include the key changes outlined in ISO 14001:2015/DAmd 2.