Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

ISO 27001:2022 Annex A Control 5.8 Information security in project management

Annex 5.4 of the 2022 version of the ISO27001 standard can be mapped to ISO 27001:2013 Annex A 6.1.5 and ISO 27001:2013 Annex A 14.1.1

Annex A control 5.8 ensures that any project management includes information security measures, helping to effectively manage any information security risks related to projects and deliverables.

Project security is a key consideration in any project management, as many projects involve the updating of systems that impact information security. Annex 5.8 documents information security requirements and concerns for project management to ensure their resolution throughout the life cycle of the project.

Project management information security

Any project must take information security into consideration, regardless of type or scale. Cybersecurity should be intrinsic to the foundation of an organisation, and project management is critical to this. Control 5.8 recommends a simple, repeatable checklist that can be used for all projects.

Organisations should incorporate annex 5.8 for personal data, considering Data Protection Impact Assessments (DPIAs) and other processes in order to demonstrate compliance with both the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

Annex 5.6 can be used in conjunction with annex 5.8 to bolster information security measures. A risk assessment should be carried out whenever systems are introduced or updated to determine the requirements for security controls.

By outlining and agreeing upon security requirements, organisations have reference points to utilise when undertaking projects.

Meeting the requirements of control 5.8

Every project must have IS requirements assessed by a project manager. Prioritising information security in project management allows organisations to highlight, evaluate, and address security risks. It should not be something that is done to a project, but something that is part of the project.

IS managers have a responsibility to work with project managers to assess and address information security risks, as part of the project management process. According to annex 5.8, project management systems require the following:

  • Security risks are assessed and addressed early and frequently during the project’s life cycle.
  • Information security requirements identified early in the project’s development.
  • Information security risks associated with the project’s execution should be considered and addressed, including the security of internal and external communication channels.
  • Evaluations of the effectiveness of information security measures should be conducted.

How has control 5.8 changed from ISO27001:2013?

Implementation guidelines for information security in project management now reflect more clarifications than in ISO27001:2013. The earlier version contained three points that every project manager should know related to information security. In the updated version, this has been expanded to four points.

While not a new control, Annex A control 5.8 brings significant changes to the standard, while also combining ISO27001:2013 Annex A controls 6.1.5 and 14.1.1 to make it more user-friendly.