How to manage security in project management according to ISO 27001 A.5.8

Updated: March 28, 2023, according to the ISO 27001 2022 revision.

Security in project management is an important part of ISO 27001 – many people are wondering how to set it up, and whether their projects should be covered with this control at all. Read this article to find the answers…

It is likely that you’ve heard that “the security of the information not should be seen as a product; it should be seen as a process.” This implies, among other things, that the security of the information is present in any establishment of the organization, being a pillar of the same, and serving as a cross support to the entire organization.

What do we need in order to establish the information security in project management?
  • Include information security objectives in project objectives.
  • Perform a risk assessment in an early stage of the project.
  • Carry out treatment of the identified risks.
  • Make the information security policy an indispensable part of all stages.

Project management in information security, or information security in project management?

Beware: it is not the same to say that we are going to establish a methodology to manage projects in the field of information security (for example, use a methodology such as PRINCE2 project management to implement a project of ISO 27001), as to say that we are going to establish a methodology to treat the security of information in project management (for example, to use a risk management methodology to analyze security risks of the information relating to a project).

The ISO 27001:2022 standard talks about the second issue, and this will be what we will focus on, but we should take into account the order of the words – as you have seen, it is not the same.


Why is security important and why should we use security in project management?

The operation of each company is determined by the constant execution of projects in the short, medium, and long term (internal projects to maintain the structure of the organization, and external projects to provide services to customers).

Projects require collecting and processing data and generating information. They are becoming increasingly dependent on information systems that usually contain vulnerabilities and security flaws. When vulnerabilities are exploited, the success of the projects can be adversely affected. The level of information security in project management dictates how safe your project will be. To maximize long-term return on investment (ROI) with a project’s delivery, taking information security into account with all aspects is essential.

But security is something that is usually forgotten in projects; i.e., when a project is addressed in an organization, it does not usually take into account that it should be led according to the principles of information security project management. However, I’ve found some organizations, mainly large companies, that have included the information security in their projects as just one more activity (for example, running a risk assessment, focused on information security, at the beginning of any project to identify threats/vulnerabilities and risks).

And this is basically what ISO 27001 requests in Annex A.5.8 Information security in project management: Information security shall be addressed in project management, regardless of the type of the project. This control can be applied to all kinds of projects, from a minor IT implementation to a major business change project. Information security should be a part of ‘business as usual’ and, therefore, information security risks and objectives should be considered at the outset of each project.

How do we include information security in project management?

All projects basically need resources, activities to develop, and established time objectives. Information security in project management can be integrated in several ways:

  • Include information security objectives in project objectives. To learn more about security objectives, you can read this interesting article: ISO 27001 control objectives – Why are they important?
  • Determine roles and responsibilities associated with information security so that everybody knows and executes what is necessary.
  • Perform a risk assessment in an early stage of the project. You can also read this article related to the assessment and treatment of risks: ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide.
  • Carry out treatment of the identified risks and implement security measures.
  • Make the information security policy an indispensable part of all stages of the project.
  • Train the project team on information security policies and controls to increase awareness and competence so that you can reduce the occurrence of incidents and non-compliances.
  • Have confidentiality agreements with suppliers working on the project and inform them about relevant policies and procedures.
  • If the project is in collaboration with a vendor, configure scheduled access reviews with the vendor team.
  • Conduct reviews and audits to measure the effectiveness of implementation, and analyze results.
  • Take corrective or improvement actions where needed.
  • At the closing phase of projects, save and store all data and documents with proper safeguards. Check the access rights of team members. When these activities are performed improperly, it can be a catalyst for unauthorized disclosure of sensitive and priceless business information.

Information security in project management according to ISO 27001

It’s particularly important (independent of the size of the organization) to include information security in project activities for those projects, e.g., which deal with or target integrity, availability, and confidentiality of the information.

What are the benefits of information security in project management?

In this way, information security will always be a component of the management of any project in the organization, and the organization will also comply with the requirement established by ISO 27001. So, let’s get a closer look into the benefits of information security project management.

ISO 27001 helps to manage the information security of all projects gathered under one roof. From project initiation to the protection from different threats such as data breaches and cyber-attacks, companies can anticipate risks, react accordingly, and secure their information. Documents, databases, devices, cloud servers, etc. remain safe within the project, which becomes resilient thanks to the implementation of ISO 27001.

This control also helps to provide greater importance and presence to the information security in the project management of the organization, which is always positive for this sector, since it is not seen as a simple requirement of a standard, but as a critical parameter in addressing and implementing any project in the organization.

Information security is probably not in place in the management of all projects in your organization. Many times, this is due to lack of knowledge, but after reading this article, that should no longer be an excuse. Also, keep in mind that when information security has more presence in your organization, you will be more important and you will be better valued.

To learn how to become compliant with every clause and control from Annex A and get all the required policies and procedures for controls and clauses, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Antonio Jose Segovia
Author
Antonio Jose Segovia
Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.
Advisera Tolga Aktaş
Contributor
Tolga Aktaş

Tolga Aktaş has been working in various disciplines of management systems for more than 15 years. Tolga is an accredited lead auditor for the ISO 9001, 14001, 18295, 22301, 27001, 27701, 37001, and 55001 standards and has conducted audits as a freelancer for internationally accredited conformity assessment companies. He is also an accredited lead auditor trainer for ISO 22301, 27001, and 27701. He conducts workshops and webinars, and provides consultancy services on management systems to organizations mainly in Turkey, the UK, the EU, Qatar, UAE, Germany, and Japan. Tolga holds a Master of Business Administration degree.