ISO-27001-ISO-22301-blog

    ISO 27001 & ISO 22301 Blog

    How to manage security in project management according to ISO 27001 A.6.1.5

    Security in project management is a completely new thing in the 2013 revision of ISO 27001 – many people are wondering how to set it up, and whether their projects should be covered with this control at all. Read this article to find the answers…

    It is likely that you’ve heard that “the security of the information not should be seen as a product; it should be seen as a process.” This implies, among other things, that the security of the information is present in any establishment of the organization, being a pillar of the same, and serving as a cross support to the entire organization.

    Project management in information security, or information security in project management?

    Beware: it is not the same to say that we are going to establish a methodology to manage projects in the field of information security (for example, use a methodology such as PRINCE2 project management to implement a project of ISO 27001), as to say that we are going to establish a methodology to treat the security of information in project management (for example, to use a risk management methodology to analyze security risks of the information relating to a project).

    The ISO 27001:2013 standard talks about the second issue, and this will be what we will focus on, but we should take into account the order of the words – as you have seen, it is not the same.


    What happens with the information security in project management?

    The operation of each company is determined by the constant execution of projects in the short, medium, and long term (internal projects to maintain the structure of the organization, and external projects to provide services to customers).

    But security is something that is usually forgotten in projects; i.e., when a project is addressed in an organization, it does not usually take into account the information security. However, I’ve found some organizations, mainly large companies, that have included the information security in their projects as just one more activity (for example, running a risk assessment, focused on information security, at the beginning of any project to identify threats/vulnerabilities and risks). And this is basically what ISO 27001 requests in Annex A.6.1.5 Information security in project management: Information security shall be addressed in project management, regardless of the type of the project.

    What do we need to establish the information security in project management?

    All projects basically need resources, activities to develop, and established time objectives. Information security can be integrated into project management activities in several ways:

    • Include information security objectives in project objectives. To learn more about security objectives, you can read this interesting article: ISO 27001 control objectives – Why are they important?
    • Perform a risk assessment in an early stage of the project. You can also read this article related to the assessment and treatment of risks: ISO 27001 risk assessment & treatment – 6 basic steps.
    • Carry out treatment of the identified risks and implement security measures
    • Make the information security policy an indispensable part of all stages of the project

    ISO 27001 A.6.1.5 – How to manage security in project management

    It’s particularly important (independent of the size of the organization) to include information security in project activities for those projects, e.g., which deal with or target integrity, availability, and confidentiality of the information.

    Benefits of information security in project management

    In this way, the information security will always be a component of the management of any project in the organization, and the organization will also comply with the requirement established by ISO 27001.

    This control also helps to provide greater importance and presence to the information security in the organization, which is always positive for this sector, since it is not seen as a simple requirement of a standard, but as a critical parameter in addressing and implementing any project in the organization.

    Information security is probably not in place in the management of all projects in your organization. Many times, this is due to lack of knowledge, but after reading this article, that should no longer be an excuse. Also, keep in mind that when the information security has more presence in your organization, you will be more important and you will be better valued.

    If you are interested in or thinking about implementing ISO 27001 in your organization, consult the following free materials: Diagram of ISO 27001:2013 implementation, and Project checklist for ISO 27001 implementation.

    Advisera Antonio Jose Segovia
    Author
    Antonio Jose Segovia
    Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.