ISO 14001: The Standard That Doesn’t Know What a Modern Business Looks Like
I recently completed training to deliver ISO 14001:2026 — the international standard for environmental management systems. I want to be upfront about why I did it, and equally upfront about why it’s not a space I intend to make a feature of my practice.
I was working with a client operating in a sector where ISO 14001 certification is increasingly expected. Not because the standard obviously fits their business model — it doesn’t, and I’ll explain why — but because the procurement landscape demands it. So I got qualified to help them. That’s what a good consultant does.
But the experience left me with a nagging question that I think deserves an honest airing: who, exactly, is this standard written for?
Built for Factories, Applied to Laptops
ISO 14001 was conceived at a time when “environmental management” meant managing physical things — emissions from manufacturing processes, waste from production lines, fuel from fleets of vehicles, chemical use on site. The framework made enormous sense for that world. It still does, for companies that operate in it.
The 2026 revision, published in April this year, has doubled down on that framing. It strengthens requirements around lifecycle thinking, biodiversity, climate-related risks, and supply chain environmental impact. All perfectly reasonable ambitions for a chemical manufacturer or a logistics provider. Less obviously applicable to a company whose primary infrastructure is a cloud platform and whose environmental footprint is largely made up of staff commuting and the energy consumption of data centres they don’t own and can’t meaningfully influence.
The standard talks extensively about demonstrating “control or influence” over environmental impacts across the value chain. But what does that look like when your entire technical operation runs on AWS? You can point to their sustainability commitments. You can note that your chosen cloud region runs on renewable energy. Beyond that, your influence is theoretical at best.
I’m not saying that doesn’t matter. I’m saying there’s a significant gap between what the standard assumes you can demonstrate and what a digitally-native, asset-light business can credibly document.
The Echo Chamber Problem
If you go looking for critical commentary on the 2026 revision, you’ll struggle to find it. That’s not because there are no legitimate concerns — it’s because almost everything written about ISO 14001 is produced by certification bodies, training providers, and consultancies who have a commercial interest in its adoption. The coverage is relentlessly positive. Words like “strategic upgrade” and “competitive advantage” appear with striking regularity.
Nobody in that ecosystem is going to write a piece that says “actually, for your type of business, this standard may deliver very little value at considerable cost.” That’s not cynicism — it’s just how markets work. Which is exactly why independent voices matter.
The Certification Trap
Here’s the uncomfortable dynamic I observed: organisations pursue ISO 14001 not because they’ve concluded it will improve their environmental performance, but because their sector has quietly decided it’s a threshold requirement. It appears on tender frameworks. It’s referenced in due diligence questionnaires. It becomes something you have to have, regardless of whether it makes operational sense for your specific context.
That’s not necessarily wrong — markets have always used standards as proxies for trustworthiness, and there is genuine value in that signalling function. But when the standard being used as a proxy was designed for a fundamentally different type of organisation, something has gone awry. The certification becomes an exercise in creative interpretation rather than genuine environmental management.
Auditors know this. Implementation consultants know this. In my experience, the better ones will tell you quietly, even if they won’t shout it from the rooftops.
The Gap in the Market: Where’s the Cyber Essentials for Environmental Risk?
This is where I think the real opportunity lies, and I’m surprised nobody has properly seized it.
Cast your mind back to where cyber security was fifteen years ago. Large organisations had frameworks — ISO 27001, various government schemes — but for small and medium-sized businesses, the bar was either nothing or an expensive, disproportionate certification process. Then Cyber Essentials arrived: a proportionate, accessible, government-backed scheme that asked the right questions for the right audience. It wasn’t perfect. It wasn’t ISO 27001. But it was honest about what it was trying to achieve and who it was trying to reach, and it filled a genuine need.
Environmental management needs exactly that. A tiered, proportionate framework that distinguishes between a polymer manufacturer and a twenty-person software company. Something that asks meaningful questions for each — the former about emissions, waste, and resource use; the latter about supply chain transparency, device energy use, business travel policy, and cloud provider sustainability credentials. Something that can be achieved without a twelve-month implementation project and a certification body that sees your sector for the first time.
The absence of that framework is why we end up with asset-light digital businesses contorting themselves to meet requirements written for an entirely different kind of operation. It’s not good for the businesses, it’s not good for the credibility of the standard, and it arguably doesn’t do much for the environment either.
So Where Does That Leave ISO 14001?
It leaves it as a genuinely useful standard — for the organisations it was designed for. If you have physical operations, a manufacturing process, a fleet, significant waste streams, or meaningful direct environmental impact, ISO 14001 is a serious and worthwhile framework. The 2026 revision, for all my reservations about its scope creep, has strengthened some genuinely important areas.
But if your operations are primarily digital, your environmental footprint is indirect, and your interest in the standard is driven by procurement rather than operational need — go in with clear eyes. Understand what you’re buying. Make sure your implementation reflects your actual context rather than a compliance performance.
And perhaps start asking louder questions about why there isn’t something better designed for businesses like yours.
—
Helen Molyneux is the founder of Cambridge Risk Solutions, an independent resilience consultancy specialising in business continuity, crisis management, and information security. She holds Lead Auditor certifications for ISO 22301 and ISO 27001.
