1. Framework FAQs

ISO 27001: 2022 A.5.8 Information security in project management

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.5.8 Information security in project management

ISO 27001: 2022 Control Description

Information security shall be integrated into project management.

Purpose

To ensure that information security risks related to projects and deliverables are effectively addressed throughout the project management life cycle.

Guidance on implementation

Information security should be embedded in project management to ensure that information security risks are managed as part of the project management process. This applies to any type of project, regardless of complexity, size, duration, discipline, or application area (e.g., projects for core business processes, ICT, facility management, or other supporting processes).

The project management approach should require that:

a) Information security risks are assessed and managed from the outset and periodically as part of project risks throughout the project life cycle;

b) Information security requirements [e.g., application security requirements (8.26), requirements for compliance with intellectual property rights (5.32), etc.] are addressed in the early stages of projects;

c) Information security risks associated with the execution of projects, such as the security of internal and external communications, are considered and managed throughout the project life cycle;

d) Progress on information security risk management is reviewed, and the effectiveness of the risk treatment is evaluated and tested.

The appropriateness of information security considerations and activities should be monitored at predefined stages by suitable individuals or governance bodies, such as the project steering committee.

Responsibilities and authorities for information security relevant to the project should be clearly defined and allocated to specific roles.

Information security requirements for the products or services delivered by the project should be determined using various methods, including deriving compliance requirements from the information security policy, topic-specific policies, and regulations. Additional information security requirements can be identified through activities such as threat modelling, incident reviews, vulnerability assessments, or contingency planning. This ensures that the architecture and design of information systems are protected against known threats in the operational environment.

Information security requirements should be identified for all types of projects, not just ICT development projects. The following should also be considered:

a) The nature of the information involved, the corresponding information security needs (classification; see A.5.12), and the potential negative business impact of inadequate security;

b) The required protection of information and other associated assets, particularly in terms of confidentiality, integrity, and availability;

c) The level of confidence or assurance required for the claimed identity of entities to establish authentication requirements;

d) Access provisioning and authorisation processes for customers, other business users, privileged or technical users such as relevant project members, potential operational staff, or external suppliers;

e) Informing users of their duties and responsibilities;

f) Requirements derived from business processes, such as transaction logging, monitoring, and non-repudiation;

g) Requirements mandated by other information security controls (e.g., interfaces to logging and monitoring or data leakage detection systems);

h) Compliance with the legal, statutory, regulatory, and contractual environment in which the organisation operates;

i) The level of confidence or assurance required for third parties to comply with the organisation’s information security policy and topic-specific policies, including relevant security clauses in agreements or contracts.

The project development approach, whether waterfall or agile, should support information security in a structured way that can be adapted to suit the assessed severity of the information security risks, based on the nature of the project. Early consideration of information security requirements for the product or service (e.g., at the planning and design stages) can lead to more effective and cost-efficient solutions for quality and information security.