Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
“Information security shall be integrated into project management.”
Plain-language meaning
Projects must handle information security from the start, not as a late review before go-live.
This applies to projects that build, buy, change, configure, integrate, outsource, or retire systems, services, infrastructure, processes, or business capabilities. A project that delivers on time but creates an insecure system has not delivered a fit-for-purpose outcome.
Why this matters
Projects change the organization. They introduce new systems, suppliers, processes, data flows, integrations, user access, and operational dependencies. If security is not built into the project method, security risks are discovered late, ignored under delivery pressure, or pushed into operations as unresolved risk.
A.5.8 is the bridge between project delivery and the Information Security Management System.
Project risk vs information security risk
Do not confuse normal project risk with information security risk.
| Type | Focus | Example |
|---|---|---|
| Project risk | Risk to delivery time, cost, scope, quality, or resources | Vendor delay may push go-live by two months |
| Information security risk | Risk to confidentiality, integrity, availability, compliance, or resilience | New system may expose customer data through weak access control |
The project risk register may mention security risks, but it often gets dominated by delivery pressure. Serious information security risks should also connect to the organization-level Risk Assessment or information security risk register.
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
1. Add security into the project method
The project methodology should require information security checkpoints across the project lifecycle.
Minimum checkpoints:
- project initiation;
- requirements analysis;
- design or solution selection;
- supplier or product selection;
- development or configuration;
- testing;
- change approval;
- transition to operations;
- post-implementation review.
Security should not rely on a security team member noticing the project informally.
2. Perform two security risk assessments
At project start, assess two different things:
| Assessment | Question | Example control output |
|---|---|---|
| Risk from project activity | Can the project work itself create security risk? | Project data handling rules, secure collaboration spaces, supplier NDA, restricted test data |
| Risk from project deliverables | Can the delivered system, service, or process create security risk? | MFA, logging, encryption, backup, secure configuration, access review |
Both assessments should produce security requirements and controls.
3. Define security requirements with functional requirements
Security requirements must be captured alongside business and functional requirements.
Examples:
- access control and privileged access;
- authentication and MFA;
- logging and monitoring;
- encryption and key management;
- backup and recovery;
- secure configuration;
- segregation of duties;
- data retention and disposal;
- privacy and regulatory requirements;
- supplier security requirements;
- secure development or acquisition requirements;
- incident response and support obligations.
For acquired systems, commercial off-the-shelf software, add-ons, integrations, and customizations must still be assessed. Buying a product does not outsource accountability for security risk.
4. Trace risks to controls
For each material information security risk, the project should show:
- the risk;
- the security requirement;
- the control or design response;
- the owner;
- the test or validation method;
- the implementation status;
- the residual risk decision.
This keeps security from becoming vague “security review completed” paperwork.
5. Reassess security during project change
Project changes should trigger security reassessment when they affect:
- scope;
- architecture;
- suppliers;
- data types;
- integrations;
- access model;
- hosting location;
- user population;
- operational support;
- compliance obligations;
- go-live timeline.
Removing security controls to hit a deadline is not a local project decision. It should be escalated to the appropriate risk owner or governance body.
6. Validate security before transition
Before go-live or handover, verify that security requirements are actually implemented.
Examples:
- security test results;
- access model review;
- vulnerability assessment;
- secure configuration review;
- logging and monitoring validation;
- backup and recovery test;
- supplier assurance review;
- operational support readiness;
- residual risk acceptance.
The transition phase matters because some project controls are temporary, while deliverable controls must survive into operations.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should test both the project methodology and a sample of actual projects.
The methodology should require:
- identification of information security objectives;
- information security risk assessment distinct from delivery risk;
- security requirements definition;
- security roles and responsibilities;
- lifecycle checkpoints;
- security review after project changes;
- testing or validation of security requirements;
- controlled transition to operations.
For sampled projects, auditors should look for evidence that security was identified, tracked, tested, and resolved. A project closeout document that says “security approved” is weak unless it links to risks, requirements, controls, tests, and decisions.
Evidence examples
Evidence quality
Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.
| Evidence | What it proves |
|---|---|
| Project methodology | Security is built into the standard project process |
| Project security risk assessment | Project-specific information security risks were considered |
| Security requirements register | Requirements were captured and tracked |
| Design/security review records | Security was considered during design or acquisition |
| Supplier/product security assessment | Purchased systems and add-ons were evaluated |
| Project RACI | Security responsibilities were assigned |
| Change request security review | Project changes triggered security reassessment |
| Test results | Security requirements were validated |
| Defect/remediation records | Security gaps were tracked and resolved |
| Transition checklist | Security controls survived handover to operations |
| Residual risk acceptance | Unresolved risk was approved at the right level |
Strong evidence
- Project methodology has security gates and role responsibilities.
- Each sampled project has a security risk assessment.
- Security requirements are traceable to risks and controls.
- Security requirements are tested before acceptance.
- Project changes trigger security reassessment.
- Purchased systems and customizations receive security review.
- Unresolved security issues are escalated and accepted by authorized risk owners.
- Operational handover includes evidence, owners, monitoring, support, and residual risk.
Weak evidence
- Security review happens only near go-live.
- Project risk register mixes delivery risk and security risk without clear ownership.
- Security requirements are generic or copied from a checklist.
- No evidence that requirements were tested.
- COTS products are assumed secure because they are commercial.
- Security controls are removed to meet deadlines without risk approval.
- No handover of security controls into operations.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| Security added late | Fixes become expensive or ignored |
| Project risk confused with security risk | Delivery pressure hides organizational risk |
| No security requirements | Testing cannot prove security outcomes |
| No traceability | Risks, controls, tests, and evidence disconnect |
| COTS acquisition not assessed | Purchased systems can still introduce compromise routes |
| Project changes do not trigger review | Original risk treatment becomes invalid |
| Weak transition to operations | Controls disappear after project closure |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- Project management security is not only for software development. It applies to any project that can affect information security.
- A project risk register is not automatically an information security risk register.
- Commercial software still needs security requirements and assessment.
- Security requirements should be identified early, not after build or purchase.
- Testing should validate security requirements, not only functional requirements.
- Removing a security control for delivery convenience requires proper risk escalation.
Related controls and concepts
- Risk Assessment
- Statement of Applicability
- A.5.2 Information Security Roles and Responsibilities
- A.5.3 Segregation of Duties
- A.5.4 Management Responsibilities
- A.5.7 Threat Intelligence
- Information Security Management System
- Internal Audit
- Management Review
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.8 requires information security to be integrated into project management. Projects should identify security objectives, assess information security risks separately from delivery risks, define security requirements, trace risks to controls, reassess security after project changes, test security requirements, and hand over enduring controls into operations.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Project management
- Risk assessment
- Systems acquisition
- Audit
Note Metadata
Aliases: A.5.8, Information Security in Project Management
Source: 02 Annex A Organizational Controls/A.5.8 Information Security in Project Management.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- ISO27001 ISMS KB - Start Here
- Information Security Management System
- Internal Audit
- Management Review
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.2 - Information Security Roles and Responsibilities
- ISO 27001 A.5.21 - Managing Information Security in the ICT Supply Chain
- ISO 27001 A.5.3 - Segregation of Duties
- ISO 27001 A.5.4 - Management Responsibilities
- ISO 27001 A.5.7 - Threat Intelligence
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- A.5 Organizational Controls MOC
- A.5.8 Audit Evidence Pack
- AQ-ISO27001-A.5.8 Information Security in Project Management
- ISO 27001 A.8.25 - Secure Development Life Cycle
- ISO 27001 A.8.26 - Application Security Requirements
- ISO 27001 A.8.27 - Secure System Architecture and Engineering Principles
- ISO 27001 A.8.8 - Management of Technical Vulnerabilities
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.8 Information Security in Project Management
- A.5 Controls Implementation Audit Risk Mapping
- ISO 27002 Annex A Control Interpretation Map
- A.5.8 Audit Checklist
- Application Security Requirements Register
- Template - Corrective Action Tracker
- Project Security Requirements Register
- Template - RACI Matrix
- Template - Risk and Control Mapping Table
- Annex A Controls MOC