ISO27001 – Control 5.8 – Information Security in Project Management
Control
Information security should be integrated into Project Management.
What this means
When planning and executing projects, it’s essential to integrate information security practices throughout the entire project lifecycle. Information security risks can derail projects and jeopardise deliverables if not addressed proactively. This can be applied to any type of project regardless of its complexity, size, duration, discipline or application area (e.g. a project for a core business process, ICT, facility management or other supporting processes). Don’t fall into the trap of thinking its just for ICT projects.
Here are some key considerations for ensuring information security is considered as part of your project management approach:
Early Risk Assessment
From the initial planning stages, assess potential information security risks associated with the project scope, goals, processes, and deliverables. Identify risks around data confidentiality, integrity, and availability. Build risk treatment plans early on and review them throughout the process so any new risks are identified and managed.
Define Security Requirements
Specify all relevant information security requirements upfront when defining the project’s overall requirements. Look at factors like:
a) what information is involved, what are the corresponding information security needs and the potential negative business impact which can result from lack of adequate security;
b) the required protection needs of information and other associated assets involved, particularly in terms of confidentiality, integrity and availability;
c) the level of confidence or assurance required towards the claimed identity of entities in order to derive the authentication requirements;
d) access provisioning and authorisation processes, for customers and other potential business users as well as for privileged or technical users such as relevant project members, potential operation staff or external suppliers;
e) informing users of their duties and responsibilities;
f) requirements derived from business processes, such as transaction logging and monitoring, nonrepudiation requirements;
g) requirements mandated by other information security controls (e.g. interfaces to logging and monitoring or data leakage detection systems);
h) compliance with the legal, statutory, regulatory and contractual environment in which the organisation operates;
i) level of confidence or assurance required for third parties to meet the organisation’s information security policy and topic-specific policies including relevant security clauses in any agreements or contracts.
Apply a risk-based approach to prioritise and incorporate the most critical security requirements into project plans, designs, and implementation roadmaps.
Secure the Project
Throughout the project lifecycle, continually assess and mitigate risks related to project communications, collaboration tools, documentation sharing, and other execution activities that could expose sensitive data. Further information security requirements can be derived from activities such as threat modelling, incident reviews, use of vulnerability thresholds or contingency planning, thus ensuring that the architecture and design of information systems are protected against known threats based on the operational environment.
Test Security Effectiveness
As the project progresses, verify that information security controls are operating as intended. Evaluate control effectiveness through activities like security testing, audits, and incident response simulations.
Governance and Accountability
Clearly define information security roles, responsibilities, and approval gates within the project governance structure. Have an accountable steering committee or other committee to validate security considerations at key milestones.
By proactively addressing information security, you reduce project risks, increase stakeholder confidence, and protect valuable data assets and intellectual property. Make security an integral part of project management, not an afterthought.
If you want to talk about information security in your organisation then please book a free call here or email us here