ISO 27001 A.5.8: Information security in project management
What This Control Requires
Information security shall be integrated into project management.
In Plain Language
Bolting security on at the end of a project is expensive, disruptive, and often ineffective. This control is about baking security into your project management methodology from the start - regardless of whether it is an IT project, a business transformation, or a facilities move. In practice, this means security requirements get identified during planning, security risks are assessed alongside all other project risks, security activities appear in timelines and budgets, and security deliverables get reviewed at key milestones before the project moves forward. Systems designed with security in mind from day one are dramatically cheaper and more effective than systems that need retrofitting after deployment. Auditors will specifically look for evidence that security was considered throughout the project lifecycle, not just tacked on before go-live.
How to Implement
Update your project management methodology to include mandatory security checkpoints at each phase. At a minimum: security requirements gathering during initiation, risk assessment during planning, design review during development, security testing before deployment, and formal sign-off before go-live. Create a security requirements checklist that project managers must complete at the start of every project. Cover data classification, access requirements, regulatory obligations, integration with existing controls, and any new risks the project introduces. Use the results to determine how much security involvement the project needs. Define security gate criteria for milestones. A project should not move from design to development without a security architecture review, and should not go live without security testing and a vulnerability assessment. Enforce these through your project governance process. Make sure your security team is resourced to support projects. Assign security champions to high-risk projects, offer consultation for lower-risk ones, and maintain a library of security requirements and design patterns that project teams can reference. Train your project managers on security basics and what the methodology requires of them. They need to know when to involve the security team, how to engage them, and what deliverables are expected at each stage. Include security criteria in project success metrics and post-implementation reviews.
Evidence Your Auditor Will Request
- Project management methodology documentation showing security integration points
- Security requirements checklists or questionnaires used in project initiation
- Records of security risk assessments conducted for recent projects
- Evidence of security gate reviews and sign-offs at project milestones
- Post-implementation security review reports for completed projects
Common Mistakes
- Security is treated as an afterthought and only considered late in the project lifecycle
- Project management methodology does not include security checkpoints or gates
- Security team is not consulted or resourced to participate in project activities
- No security risk assessment is conducted as part of project planning
- Security requirements are identified but not tracked through to implementation and testing
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC8.1 | Related |
| GDPR | Art.25 | Related |
| NIS2 | Art.21(2)(a) | Partial overlap |
Frequently Asked Questions
Does this apply to all projects or only IT projects?
How do we integrate security without slowing down agile projects?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment