ISO27001 is a risk based management system, and changes of any kind can introduce risks to your business. This is why it’s important to consider information security in your approach to project management.

Information security risks associated with projects and their deliverables should be effectively managed from beginning to end.

What does the standard require?

The standard states that “Information Security shall be integrated in project management.” (A5.8 Information security in project management)

The key word here is integrated, meaning that it should be part of your project management methodology, rather than an after thought.  In Security, there are principles such as ‘Security by Design’ and ‘Privacy by Design and Default’, and these should become part of your approach to project management.

Why is this required?

Projects can involve changes to any number of areas of your business, from business processes, and IT systems, to data and physical locations. But any of these changes could introduce new information security risks if they are not identified and addressed in an appropriate way.

An example of this was when a client of ours looked to move their office location. This was clearly going to be a large project, as it required changes in a number of areas, including moving over 150 desks, PCs and personal belongings.  By including a risk review at the start of the project we were able to identify a number of risks, not only to the business but also risks which might impact clients and their projects. Ultimately we were able to manage a range of risks, including security risks so that the move happened smoothly.

By integrating security into your approach to project management, you can effectively manage projects are delivered without compromising confidentiality, integrity, and availability of information assets.

What the auditor is looking for

The auditor won’t be looking for a specific policy in your ISMS about Information Security, but they will be looking for evidence that there is some form of project management process in place.

Don’t worry if this process isn’t formally documented. That’s not going to be assessed. However you should be able to provide some form of evidence. The following is typically what you should be able to provide;

·        Project documentation: This can include project plans, risk assessments, security requirements, and impact assessments.

·        Meeting minutes: Records of project meetings where information security risks were discussed and mitigation strategies and actions were agreed.

·        Email chain: Any emails that demonstrate that security is discussed and actions agreed in relation to specific projects.

·        Change management procedures: Evidence that changes to systems, processes, or premises are managed in a structured way, with security assessed as part of the change process.

It’s important to say that not all changes or projects will need this level of rigor, but you should certainly consider if a formal security or risk review is required in relation to the change/project.  This is when information security in project management comes to life, as the first step in the process is to ask “Will this change introduce risks to our business?”

Starting with this simple question, you can develop an approach that meets your needs, and the needs of the control in this standard.

Q & A

Is this a mandatory control?

No control is truly ‘mandatory’, but it would be very difficult to explain why this control is ‘not applicable’ to your organisation. All organisations go through some form of change, and where that change is substantial, it could become a project (and therefore would require this control).

How do we start to identify information security risks in projects?

This is all about using appropriate risk assessment methodologies to identify potential threats, vulnerabilities, and impacts to information security during project planning and delivery. If you don’t have an approach to risk assessment, consider these three phases (in relation to security and the project). 

Ask “What security risks are associated to this project?”

·        Before the project begins

·        During the project delivery

·        Post delivery of the project

Log these on a spreadsheet. Assign an owner to the risk, and then ask them to come up with their risk management controls.  Track these risks and deal with them throughout the project.

Is it possible to get this wrong?

Yes. If you completely ignore the need for information security in projects then this will be a minor non-conformity within your ISMS.  Make sure that you include information security requirements in the project deliverables, timeline, and project risk assessments.

Difficulty rating

We rate this a 1 out of 5 difficulty rating. This means that it requires little if any technical skill to understand the requirement.  The implementation of this requirement is largely down to ensuring there is some form of project management within your business.  If you are a small business, this will be relatively informal, and that’s fine. Just make sure that where there are projects, that you consider information security risks, and you can evidence discussions and decisions being made.

More questions?

Just remember that nothing in ISO27001 sits in isolation, so you should review our ISO 27001 FAQ to gain answers to other aspects of the standard, but if you’re still confused by how to implement n RBAC process or identify the key roles in your organisation, just get in touch and we’ll be happy to help.

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.