Control 5.8 : Information Security in Project Management

Summary

Information security must be integrated into project management practices regardless of the nature of the project. This ensures that security requirements are identified and addressed at the start of a project rather than as an afterthought.

Applicability

In-Scope: Mandatory for all organizations that engage in software development, infrastructure upgrades, or business process changes. It is critical for ensuring that Security by Design is maintained during organizational growth.

Out-of-Scope: Never out-of-scope, as even small internal changes should be treated as projects with security considerations.

Implementation Guidance

Microsoft 365 / Entra ID

Planning: Use Microsoft Planner or Microsoft Project to include a Security Review as a mandatory milestone in all project templates.
Collaboration: Create secure Microsoft Teams channels for project groups to discuss and document security requirements and risk assessments.
Compliance Tracking: Utilize Microsoft Purview Compliance Manager to map project-specific regulatory requirements to the broader ISO 27001 framework.

Evidence Checklist

Project Risk Assessments: Documented security reviews conducted during the initiation phase of recent projects.
Security Requirements: A list of defined security specifications for a new system or service being deployed.
Sign-off Records: Evidence that the security team formally approved a project's security architecture before it went live.

Practical Audit Advice

Here are some questions the auditor might ask:

At what stage of the project lifecycle is the information security team first engaged?
How are security risks tracked and managed throughout the duration of a project?
Can you show evidence of a project where a specific security requirement was identified and subsequently implemented?
What is the process for ensuring that third-party contractors involved in a project adhere to your organization's security standards?