All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base
Company Security and customers first
About News Partners Careers Contact

ISO 27001:2022 Annex A Control 5.8 Information security in project management

Annex 5.4 of the 2022 version of the ISO27001 standard can be mapped to ISO 27001:2013 Annex A 6.1.5 and ISO 27001:2013 Annex A 14.1.1

Annex A control 5.8 ensures that any project management includes information security measures, helping to effectively manage any information security risks related to projects and deliverables.

Project security is a key consideration in any project management, as many projects involve the updating of systems that impact information security. Annex 5.8 documents information security requirements and concerns for project management to ensure their resolution throughout the life cycle of the project.

Project management information security

Any project must take information security into consideration, regardless of type or scale. Cybersecurity should be intrinsic to the foundation of an organisation, and project management is critical to this. Control 5.8 recommends a simple, repeatable checklist that can be used for all projects.

Organisations should incorporate annex 5.8 for personal data, considering Data Protection Impact Assessments (DPIAs) and other processes in order to demonstrate compliance with both the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

Annex 5.6 can be used in conjunction with annex 5.8 to bolster information security measures. A risk assessment should be carried out whenever systems are introduced or updated to determine the requirements for security controls.

By outlining and agreeing upon security requirements, organisations have reference points to utilise when undertaking projects.

Meeting the requirements of control 5.8

Every project must have IS requirements assessed by a project manager. Prioritising information security in project management allows organisations to highlight, evaluate, and address security risks. It should not be something that is done to a project, but something that is part of the project.

IS managers have a responsibility to work with project managers to assess and address information security risks, as part of the project management process. According to annex 5.8, project management systems require the following:

  • Security risks are assessed and addressed early and frequently during the project’s life cycle.
  • Information security requirements identified early in the project’s development.
  • Information security risks associated with the project’s execution should be considered and addressed, including the security of internal and external communication channels.
  • Evaluations of the effectiveness of information security measures should be conducted.

How has control 5.8 changed from ISO27001:2013?

Implementation guidelines for information security in project management now reflect more clarifications than in ISO27001:2013. The earlier version contained three points that every project manager should know related to information security. In the updated version, this has been expanded to four points.

While not a new control, Annex A control 5.8 brings significant changes to the standard, while also combining ISO27001:2013 Annex A controls 6.1.5 and 14.1.1 to make it more user-friendly.