The basics
ISO 27001 control A.5.8 Information security in project management requires companies to incorporate information security into projects in a systematic way, in order that information handled in projects is properly protected.
Documentation
ISO 27001 control A.5.8 Information security in project management can be documented:
- For smaller and mid-size companies by covering the security of project management in all security policies and procedures. For example, the Access Control Policy would define access to all company information systems, including project documentation.
- For larger companies by writing a Policy for Project Management Security.
These documents are not mandatory but are recommended for all companies.
Implementation
In order to comply with control A.5.8 Information security in project management you might implement the following:
- Technology — Companies of all sizes will probably be able to manage information security in projects by using their existing software for project management (e.g., Jira, Trello, Monday, etc.) and by using existing text processing applications for writing security policies and procedures (e.g., MS Word, Google Docs, etc.).
- Organization/processes — you should set up a process for for defining, approving, publishing, communicating, and reviewing information policies to be used in project management. You can document those processes through a Policy for Project Management Security.
- People — make employees aware of why including information security in projects is important, and train project managers on how to identify project security requirements and include them in relevant policies and procedures.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.5.8 Information security in project management: if information security practices are incorporated into projects.
