UnixTime

Research Note

ISO 27001 A.5.8 - Information Security in Project Management

Projects must handle information security from the start, not as a late review before go-live.

On this page

Requirement

Requirement lens

Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.

“Information security shall be integrated into project management.”

Plain-language meaning

Projects must handle information security from the start, not as a late review before go-live.

This applies to projects that build, buy, change, configure, integrate, outsource, or retire systems, services, infrastructure, processes, or business capabilities. A project that delivers on time but creates an insecure system has not delivered a fit-for-purpose outcome.

Why this matters

Projects change the organization. They introduce new systems, suppliers, processes, data flows, integrations, user access, and operational dependencies. If security is not built into the project method, security risks are discovered late, ignored under delivery pressure, or pushed into operations as unresolved risk.

A.5.8 is the bridge between project delivery and the Information Security Management System.

Project risk vs information security risk

Do not confuse normal project risk with information security risk.

Type Focus Example
Project risk Risk to delivery time, cost, scope, quality, or resources Vendor delay may push go-live by two months
Information security risk Risk to confidentiality, integrity, availability, compliance, or resilience New system may expose customer data through weak access control

The project risk register may mention security risks, but it often gets dominated by delivery pressure. Serious information security risks should also connect to the organization-level Risk Assessment or information security risk register.

Implementation guidance

Implementer focus

Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.

1. Add security into the project method

The project methodology should require information security checkpoints across the project lifecycle.

Minimum checkpoints:

  • project initiation;
  • requirements analysis;
  • design or solution selection;
  • supplier or product selection;
  • development or configuration;
  • testing;
  • change approval;
  • transition to operations;
  • post-implementation review.

Security should not rely on a security team member noticing the project informally.

2. Perform two security risk assessments

At project start, assess two different things:

Assessment Question Example control output
Risk from project activity Can the project work itself create security risk? Project data handling rules, secure collaboration spaces, supplier NDA, restricted test data
Risk from project deliverables Can the delivered system, service, or process create security risk? MFA, logging, encryption, backup, secure configuration, access review

Both assessments should produce security requirements and controls.

3. Define security requirements with functional requirements

Security requirements must be captured alongside business and functional requirements.

Examples:

  • access control and privileged access;
  • authentication and MFA;
  • logging and monitoring;
  • encryption and key management;
  • backup and recovery;
  • secure configuration;
  • segregation of duties;
  • data retention and disposal;
  • privacy and regulatory requirements;
  • supplier security requirements;
  • secure development or acquisition requirements;
  • incident response and support obligations.

For acquired systems, commercial off-the-shelf software, add-ons, integrations, and customizations must still be assessed. Buying a product does not outsource accountability for security risk.

4. Trace risks to controls

For each material information security risk, the project should show:

  • the risk;
  • the security requirement;
  • the control or design response;
  • the owner;
  • the test or validation method;
  • the implementation status;
  • the residual risk decision.

This keeps security from becoming vague “security review completed” paperwork.

5. Reassess security during project change

Project changes should trigger security reassessment when they affect:

  • scope;
  • architecture;
  • suppliers;
  • data types;
  • integrations;
  • access model;
  • hosting location;
  • user population;
  • operational support;
  • compliance obligations;
  • go-live timeline.

Removing security controls to hit a deadline is not a local project decision. It should be escalated to the appropriate risk owner or governance body.

6. Validate security before transition

Before go-live or handover, verify that security requirements are actually implemented.

Examples:

  • security test results;
  • access model review;
  • vulnerability assessment;
  • secure configuration review;
  • logging and monitoring validation;
  • backup and recovery test;
  • supplier assurance review;
  • operational support readiness;
  • residual risk acceptance.

The transition phase matters because some project controls are temporary, while deliverable controls must survive into operations.

Audit guidance

Auditor focus

Look for evidence that the process operates in practice, not just that a document exists.

Auditors should test both the project methodology and a sample of actual projects.

The methodology should require:

  • identification of information security objectives;
  • information security risk assessment distinct from delivery risk;
  • security requirements definition;
  • security roles and responsibilities;
  • lifecycle checkpoints;
  • security review after project changes;
  • testing or validation of security requirements;
  • controlled transition to operations.

For sampled projects, auditors should look for evidence that security was identified, tracked, tested, and resolved. A project closeout document that says “security approved” is weak unless it links to risks, requirements, controls, tests, and decisions.

Evidence examples

Evidence quality

Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.

Evidence What it proves
Project methodology Security is built into the standard project process
Project security risk assessment Project-specific information security risks were considered
Security requirements register Requirements were captured and tracked
Design/security review records Security was considered during design or acquisition
Supplier/product security assessment Purchased systems and add-ons were evaluated
Project RACI Security responsibilities were assigned
Change request security review Project changes triggered security reassessment
Test results Security requirements were validated
Defect/remediation records Security gaps were tracked and resolved
Transition checklist Security controls survived handover to operations
Residual risk acceptance Unresolved risk was approved at the right level

Strong evidence

  • Project methodology has security gates and role responsibilities.
  • Each sampled project has a security risk assessment.
  • Security requirements are traceable to risks and controls.
  • Security requirements are tested before acceptance.
  • Project changes trigger security reassessment.
  • Purchased systems and customizations receive security review.
  • Unresolved security issues are escalated and accepted by authorized risk owners.
  • Operational handover includes evidence, owners, monitoring, support, and residual risk.

Weak evidence

  • Security review happens only near go-live.
  • Project risk register mixes delivery risk and security risk without clear ownership.
  • Security requirements are generic or copied from a checklist.
  • No evidence that requirements were tested.
  • COTS products are assumed secure because they are commercial.
  • Security controls are removed to meet deadlines without risk approval.
  • No handover of security controls into operations.

Common failures

Implementation watchouts

These are the fastest ways this topic fails in real ISMS work.

Failure Why it matters
Security added late Fixes become expensive or ignored
Project risk confused with security risk Delivery pressure hides organizational risk
No security requirements Testing cannot prove security outcomes
No traceability Risks, controls, tests, and evidence disconnect
COTS acquisition not assessed Purchased systems can still introduce compromise routes
Project changes do not trigger review Original risk treatment becomes invalid
Weak transition to operations Controls disappear after project closure

Exam traps

Exam focus

Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.

  • Project management security is not only for software development. It applies to any project that can affect information security.
  • A project risk register is not automatically an information security risk register.
  • Commercial software still needs security requirements and assessment.
  • Security requirements should be identified early, not after build or purchase.
  • Testing should validate security requirements, not only functional requirements.
  • Removing a security control for delivery convenience requires proper risk escalation.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

A.5.8 requires information security to be integrated into project management. Projects should identify security objectives, assess information security risks separately from delivery risks, define security requirements, trace risks to controls, reassess security after project changes, test security requirements, and hand over enduring controls into operations.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Organizational controls
  • Project management
  • Risk assessment
  • Systems acquisition
  • Audit

Note Metadata

Aliases: A.5.8, Information Security in Project Management

Source: 02 Annex A Organizational Controls/A.5.8 Information Security in Project Management.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

11

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Audit checks

Audit questions, checklists, or review material connected to the control.

04

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.