The purpose of ISO 27001:2022 Annex A Control 5.8 is to ensure that project management incorporates information security measures.
According to ISO 27001:2022, this Annex A control aims to ensure that information security risks related to projects and deliverables are effectively managed during project management.
Project management and project security are key considerations.
Because many projects involve updates to business processes and systems that impact information security, Annex A Control 5.8 documents project management requirements.
As projects may span several departments and organisations, Annex A control 5.8 objectives must be coordinated across internal and external stakeholders.
As a guideline, Annex A controls identify information security concerns in projects and ensure their resolution throughout the project life cycle.
A key aspect of project management is information security, regardless of the project type. Information security should be ingrained in the fabric of an organisation, and project management plays a key role in this. A simple, repeatable checklist that shows information security is being considered is recommended for projects using template frameworks.
Auditors are looking for information security awareness at all stages of the project life cycle. This should also be part of the education and awareness aligned to HR Security for A.6.6.
To demonstrate compliance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, innovative organisations will incorporate A.5.8 with related obligations for personal data and consider security by design, Data Protection Impact Assessments (DPIAs), and similar processes.
Information security requirements must be included if new information systems are being developed or existing information systems are being upgraded.
A.5.6 could be used in conjunction with A.5.8 as an information security measure. It would also consider the value of the information at risk, which could align with A.5.12’s information classification scheme.
A risk assessment should be conducted whenever a brand-new system is being developed, or a change is being made to an existing system. This is to determine the business requirements for security controls.
As a result, security considerations should be addressed before selecting a solution or initiating its development. The correct requirements should be identified before an answer is selected.
Security requirements should be outlined and agreed upon during the procurement or development process to serve as reference points.
It is not good practice to select or create a solution and then assess its level of security capability later on. The result is usually higher risks and higher costs. It may also result in issues with applicable legislation, such as GDPR, which encourages a secure design philosophy and techniques such as Data Protection Privacy Impact Assessments (DPIAs). The National Cyber Security Centre (NCSC) has similarly endorsed certain development practices and critical principles as guidelines for consideration. ISO 27001 also includes implementation guidance. Documentation of any regulations followed is necessary.
It will be the auditor’s responsibility to ensure security considerations are considered at all stages of the project life cycle. This is regardless of whether the project is for a newly developed system or for modifying an existing system.
Additionally, they will expect confidentiality, integrity, and availability to be considered before the selection or development process begins.
You can find more information about ISO 27001 requirements and Annex A controls in the ISMS.online Virtual Coach, which complements our frameworks, tools, and policy material.
Book a 30 minute chat with us and we’ll show you how
The increasing number of businesses conducting their activities online has elevated the importance of information security in project management. As a result, project managers face a growing number of employees working outside the office and using their personal devices for work.
Creating a security policy for your business will allow you to minimise the risk of a breach or data loss. In addition, you will be able to produce accurate reports on project status and finances at any given time.
As part of the project planning and execution process, information security should be included in the following ways:
The key to keeping your business projects secure is ensuring that your project managers understand the importance of information security and adhere to it in their duties.
Integration of information security into project management is essential since it allows organisations to identify, evaluate, and address security risks.
Consider the example of an organisation implementing a more sophisticated product development system.
A newly developed product development system can be assessed for information security risks, including unauthorised disclosure of proprietary company information. Steps can be taken to mitigate these risks.
To comply with the revised ISO 27001:2022, the information security manager should collaborate with the project manager to identify, assess, and address information security risks as part of the project management process to meet the requirements of the revised ISO 27001:2022. Project management should integrate information security so that it is not something done “to” the project but something that is “part of the project”.
According to Annex, A control 5.8, the project management system should require the following:
All projects, regardless of their complexity, size, duration, discipline or application area, including ICT development projects, should be evaluated for information security requirements by the Project Manager (PM). Information security managers should understand the Information Security Policy and related procedures and the importance of information security.
The revised ISO 27001:2022 contains more details regarding the implementation guidelines.
In ISO 27001:2022, the implementation guidance for Information Security in Project Management has been revised to reflect more clarifications than in ISO 27001:2013. According to ISO 27001:2013, every project manager should know three points related to information security. However, this has been expanded to four points in ISO 27001:2022.
Control 5.8 in Annex A of ISO 27001:2022 is not new but a combination of controls 6.1.5 and 14.1.1 in ISO 27001:2013.
Information security-related requirements for newly developed or enhanced information systems are discussed in Annex A Control 14.1.1 of ISO 27001:2013.
Annex A control 14.1.1 implementation guidelines are similar to control 5.8, which deals with ensuring that the architecture and design of information systems are protected against known threats within the operating environment.
Despite not being a new control, Annex A Control 5.8 brings some significant changes to the standard. Furthermore, combining the two controls makes the standard more user-friendly.
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 | Annex A 5.1.1 Annex A 5.1.2 | Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 | Annex A 6.1.5 Annex A 14.1.1 | Information Security in Project Management |
| Organisational Controls | Annex A 5.9 | Annex A 8.1.1 Annex A 8.1.2 | Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 | Annex A 8.1.3 Annex A 8.2.3 | Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 | Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 | Information Transfer |
| Organisational Controls | Annex A 5.15 | Annex A 9.1.1 Annex A 9.1.2 | Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 | Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 | Authentication Information |
| Organisational Controls | Annex A 5.18 | Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 | Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 | Annex A 15.2.1 Annex A 15.2.2 | Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 | Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 | Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 | Annex A 18.1.1 Annex A 18.1.5 | Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 | Annex A 18.2.2 Annex A 18.2.3 | Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 | Annex A 16.1.2 Annex A 16.1.3 | Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 | Annex A 11.1.2 Annex A 11.1.6 | Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 | Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 | Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 | Annex A 6.2.1 Annex A 11.2.8 | User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 | Annex A 12.6.1 Annex A 18.2.3 | Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 | Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 | Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility Programs |
| Technological Controls | Annex A 8.19 | Annex A 12.5.1 Annex A 12.6.2 | Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 | Annex A 10.1.1 Annex A 10.1.2 | Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 | Annex A 14.1.2 Annex A 14.1.3 | Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering Principles |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 | Annex A 14.2.8 Annex A 14.2.9 | Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 | Annex A 12.1.4 Annex A 14.2.6 | Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 | Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 | Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
To ensure information security is implemented throughout the life cycle of each project, the Project Manager is responsible.
Nevertheless, the PM may find it helpful to consult with an Information Security Officer (ISO) to determine which information security requirements are needed for each project.
Using ISMS.online, you can manage your information security risk management processes efficiently and effectively.
Through the ISMS.online platform, you can access various powerful tools designed to simplify the process of documenting, implementing, maintaining, and improving your information security management system (ISMS) and achieving compliance with ISO 27001.
It is possible to create a bespoke set of policies and procedures using the comprehensive package of tools provided by the company. These policies and practices will be tailored to meet your organisation’s specific risks and needs. Moreover, our platform allows collaboration between colleagues and external partners, including suppliers and third-party auditors.
In addition to DPIA and other related personal data assessments, e.g. Legitimate Interest Assessments (LIAs), ISMS.online provides simple, practical frameworks and templates for the security of information in project management.
To schedule a demo, please get in touch with us today.
Book a tailored hands-on session
based on your needs and goals
Book your demo
