ISO 27001:2022 Annex A Control 5.8

Information Security in Project Management

Book a demo

silhouettes,of,people,sitting,at,the,table.,a,team,of

What Is The Purpose of ISO 27001:2022 Annex A 5.8?

The purpose of ISO 27001:2022 Annex A Control 5.8 is to ensure that project management incorporates information security measures.

According to ISO 27001:2022, this Annex A control aims to ensure that information security risks related to projects and deliverables are effectively managed during project management.

Project management and project security are key considerations.

Because many projects involve updates to business processes and systems that impact information security, Annex A Control 5.8 documents project management requirements.

As projects may span several departments and organisations, Annex A control 5.8 objectives must be coordinated across internal and external stakeholders.

As a guideline, Annex A controls identify information security concerns in projects and ensure their resolution throughout the project life cycle.

Managing Information Security in Projects

A key aspect of project management is information security, regardless of the project type. Information security should be ingrained in the fabric of an organisation, and project management plays a key role in this. A simple, repeatable checklist that shows information security is being considered is recommended for projects using template frameworks.

Auditors are looking for information security awareness at all stages of the project life cycle. This should also be part of the education and awareness aligned to HR Security for A.6.6.

To demonstrate compliance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, innovative organisations will incorporate A.5.8 with related obligations for personal data and consider security by design, Data Protection Impact Assessments (DPIAs), and similar processes.

Analysing and Specifying Information Security Requirements

Information security requirements must be included if new information systems are being developed or existing information systems are being upgraded.

A.5.6 could be used in conjunction with A.5.8 as an information security measure. It would also consider the value of the information at risk, which could align with A.5.12’s information classification scheme.

A risk assessment should be conducted whenever a brand-new system is being developed, or a change is being made to an existing system. This is to determine the business requirements for security controls.

As a result, security considerations should be addressed before selecting a solution or initiating its development. The correct requirements should be identified before an answer is selected.

Security requirements should be outlined and agreed upon during the procurement or development process to serve as reference points.

It is not good practice to select or create a solution and then assess its level of security capability later on. The result is usually higher risks and higher costs. It may also result in issues with applicable legislation, such as GDPR, which encourages a secure design philosophy and techniques such as Data Protection Privacy Impact Assessments (DPIAs). The National Cyber Security Centre (NCSC) has similarly endorsed certain development practices and critical principles as guidelines for consideration. ISO 27001 also includes implementation guidance. Documentation of any regulations followed is necessary.

It will be the auditor’s responsibility to ensure security considerations are considered at all stages of the project life cycle. This is regardless of whether the project is for a newly developed system or for modifying an existing system.

Additionally, they will expect confidentiality, integrity, and availability to be considered before the selection or development process begins.

You can find more information about ISO 27001 requirements and Annex A controls in the ISMS.online Virtual Coach, which complements our frameworks, tools, and policy material.

The Importance of Information Security in Project Management

The increasing number of businesses conducting their activities online has elevated the importance of information security in project management. As a result, project managers face a growing number of employees working outside the office and using their personal devices for work.

Creating a security policy for your business will allow you to minimise the risk of a breach or data loss. In addition, you will be able to produce accurate reports on project status and finances at any given time.

As part of the project planning and execution process, information security should be included in the following ways:

  • Define the information security requirements for the project, taking into account business needs and legal requirements.
  • Information security threats should be assessed in terms of their risk impact.
  • To manage risk impacts, implement appropriate controls and processes.
  • Ensure that these controls are monitored and reported regularly.

The key to keeping your business projects secure is ensuring that your project managers understand the importance of information security and adhere to it in their duties.

How to Meet the Requirements and What Is Involved

Integration of information security into project management is essential since it allows organisations to identify, evaluate, and address security risks.

Consider the example of an organisation implementing a more sophisticated product development system.

A newly developed product development system can be assessed for information security risks, including unauthorised disclosure of proprietary company information. Steps can be taken to mitigate these risks.

To comply with the revised ISO 27001:2022, the information security manager should collaborate with the project manager to identify, assess, and address information security risks as part of the project management process to meet the requirements of the revised ISO 27001:2022. Project management should integrate information security so that it is not something done “to” the project but something that is “part of the project”.

According to Annex, A control 5.8, the project management system should require the following:

  • Information security risks are assessed and addressed early and periodically throughout the project’s life cycle.
  • Security requirements must be addressed early in the project development process, for example, application security requirements (8.26), requirements for complying with intellectual property rights (5.32), etc.
  • As part of the project life cycle, information security risks associated with project execution are considered and addressed. These include the security of internal and external communication channels.
  • An evaluation and testing of the effectiveness of the treatment of information security risks are conducted.

All projects, regardless of their complexity, size, duration, discipline or application area, including ICT development projects, should be evaluated for information security requirements by the Project Manager (PM). Information security managers should understand the Information Security Policy and related procedures and the importance of information security.

The revised ISO 27001:2022 contains more details regarding the implementation guidelines.

What Are the Changes and Differences From ISO 27001:2013?

In ISO 27001:2022, the implementation guidance for Information Security in Project Management has been revised to reflect more clarifications than in ISO 27001:2013. According to ISO 27001:2013, every project manager should know three points related to information security. However, this has been expanded to four points in ISO 27001:2022.

Control 5.8 in Annex A of ISO 27001:2022 is not new but a combination of controls 6.1.5 and 14.1.1 in ISO 27001:2013.

Information security-related requirements for newly developed or enhanced information systems are discussed in Annex A Control 14.1.1 of ISO 27001:2013.

Annex A control 14.1.1 implementation guidelines are similar to control 5.8, which deals with ensuring that the architecture and design of information systems are protected against known threats within the operating environment.

Despite not being a new control, Annex A Control 5.8 brings some significant changes to the standard. Furthermore, combining the two controls makes the standard more user-friendly.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

Who Is in Charge of ISO 27001:2022 Annex A 5.8?

To ensure information security is implemented throughout the life cycle of each project, the Project Manager is responsible.

Nevertheless, the PM may find it helpful to consult with an Information Security Officer (ISO) to determine which information security requirements are needed for each project.

How ISMS.online Helps

Using ISMS.online, you can manage your information security risk management processes efficiently and effectively.

Through the ISMS.online platform, you can access various powerful tools designed to simplify the process of documenting, implementing, maintaining, and improving your information security management system (ISMS) and achieving compliance with ISO 27001.

It is possible to create a bespoke set of policies and procedures using the comprehensive package of tools provided by the company. These policies and practices will be tailored to meet your organisation’s specific risks and needs. Moreover, our platform allows collaboration between colleagues and external partners, including suppliers and third-party auditors.

In addition to DPIA and other related personal data assessments, e.g. Legitimate Interest Assessments (LIAs), ISMS.online provides simple, practical frameworks and templates for the security of information in project management.

To schedule a demo, please get in touch with us today.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.