Control 5.8 covers the need for organisations to ensure that information security is integrated into project management.
Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g., electronic, physical).
Information security’s primary focus is the balanced protection of the confidentiality, integrity and availability of data (also known as the CIA triad) while maintaining a focus on efficient policy implementation, all without hampering organisation productivity.
The field covers all the processes and mechanisms by which digital equipment, information and services are protected from unintended or unauthorised access, change or destruction. Information security pros are employed in many different industries — from finance to government to health care to academics and from small one-person companies to large multinational organisations.
Project management is a large part of business. It’s about planning, organising and managing resources for the completion of a specific goal.
Project management focuses on a project, which is an identified piece of work that requires inputs from various people or groups to produce specific outputs.
Basically, it involves determining the goal of the project and dividing it into several subtasks. A project manager then works with the team to complete each task in time for the overall goal to be completed.
Project management may sound like something only a big corporation needs. But it’s valuable to any kind of business. After all, even small businesses have projects they need to complete.
As more and more businesses handle their activities online, it’s no surprise that information security in project management has become a hot topic. Project managers are dealing with an increasing number of people working outside of the office, as well as employees using their personal devices for work purposes.
By creating a security policy for your business, you’ll be able to minimise the risk of a breach or data loss and ensure that you’re able to produce accurate reports on project status and finances at any given time.
The best way to include information security in the project planning and execution process is to:
To protect your business projects, you need to make sure that all project managers are aware of information security and follow it as they complete their work.
Controls are classified using attributes. Using these, you can quickly match your control selection with commonly used industry terms and specifications. In control 5.8, the attributes are:
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Identify #Protect | #Governance | #Governance and Ecosystem #Protection |
It helps drive our behaviour in a positive way that works for us
& our culture.
The purpose of this control according to ISO 27002:2022 is to ensure information security risks related to projects and deliverables are effectively addressed in project management throughout the project life cycle.
Information security is a key consideration for project management and projects.
Control 5.8 covers the control, purpose and implementation guidance for integrating information security in project management according to the framework as defined by ISO 27001.
Control 5.8 understands that project management requires the coordination of resources, including information assets, to achieve a defined business goal. This is because projects often include new business processes and systems, which have information security implications.
Projects may also span multiple departments and organisations, meaning that control 5.8 objectives, which is all about ensuring that proper information security protocols are in place, need to be coordinated across internal and external stakeholders.
This control can be viewed as a guideline that identifies information security issues in projects, and ensures these issues are addressed throughout the project lifecycle.
It’s important to integrate information security into project management because this provides the opportunity for organisations to ensure that information security risks are identified, evaluated, and addressed as part of the project management.
For example, if an organisation wants to implement a new product development system, they can identify the information security risks associated with a new product development system – such as unauthorised disclosure of proprietary company information – and take steps to mitigate those risks.
Therefore, to meet the requirements for the new ISO 27002:2022, the information security manager should work with the project manager to ensure that information security risk is identified, assessed, and addressed as part of the project management processes. Information security should be integrated into project management so that it is a “part of the project” rather than something that is done “to the project.”
According to control 5.8, the project management in use should require that:
The Project Manager (PM) should determine the information security requirements for all types of projects, regardless of its complexity, size, duration, discipline or application area, not only ICT development projects. PMs should be aware of the Information Security Policy and related procedures, and the importance of information security.
More details on the implementation guidelines can be found in the revised ISO 27002:2022.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
Since migrating we’ve been able to reduce the time spent on administration.
Information Security in Project Management was revised in ISO 27002:2022 to reflect more clarifications in the implementation guidance compared to that of ISO 27002:2013. For example, in ISO 27002:2013, there are 3 points that every project manager should know as it affects information security. But in the 2022 version, this was expanded to 4 points.
Also, control 5.8 in ISO 27002:2022 is not a new control, rather, it is a combination of controls 6.1.5 and 14.1.1 in ISO 27002:2013.
Control 14.1.1 in ISO 27002: 2013 talks about information security related requirements for new information systems or enhancements to existing information systems. The implementation guidelines for control 14.1.1 is similar to the section of control 5.8 that talks about ensuring that the architecture and design of information systems are protected against known threats based on the operational environment.
Control 5.8, although not a new control, brings some important changes to the standard. Plus, combining the two controls in ISO 27002:2022 makes the standard more user friendly.
The Project Manager (PM) is responsible for ensuring that information security is implemented in the life cycle of every project. However, the PM may find it useful to consult an Information Security Officer (ISO) to decide what information security requirements are needed for different types of projects.
There are no changes to the ISO/IEC 27001 standard, thus existing ISMS do not need to be updated. Besides, there is a grace period of two years before organisations need to embrace the new standard.
However, because Annex A of ISO/IEC 27001 will be matched with the new ISO/IEC 27002 controls by the end of 2022, it is recommended that activities based on the information presently available on the new ISO/IEC 27002 controls be completed.
For example, organisations can:
A cloud-based platform for ISO 27002 implementation, ISMS.online, helps you manage your information security risk management processes easily and effectively.
With our cloud-based platform, you will have access to a library of pre-written policies, procedures, work instructions and forms ready for you.
The ISMS.online platform provides a range of powerful tools that simplify the way you can document, implement, maintain and improve your information security management system (ISMS) and achieve compliance with ISO 27002.
The comprehensive package of tools gives you one central place where you can create a bespoke set of policies and procedures that align with your organisation’s specific risks and needs. It also allows for collaboration between colleagues as well as external partners such as suppliers or third party auditors.
By using a web app specifically designed to help companies implement an Information Security Management System (ISMS) based on ISO 27001, you’ll not only save time, but also increase the security of your organisation.
Get in touch today to book a demo.
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
