ISO 27001 Control 5.8: Information Security in Project Management
Information security risks don't pause between projects—they compound them. ISO 27001 control 5.8 requires you to weave security requirements, assessments, and oversight into every phase of project delivery, from initiation through closure. This control ensures your organization treats security as a project constraint, not an afterthought.
What this means
Control 5.8 mandates that information security be a core component of your project management processes. Rather than bolting security on at the end, you must identify and manage information security risks as part of standard project governance. This includes evaluating security implications during planning, implementing security controls during execution, and validating security outcomes before project closure.
How to comply
- 1.Document security requirements in your project charter and scope definitions for all projects handling sensitive information
- 2.Conduct information security risk assessments during the project planning phase and integrate findings into risk registers
- 3.Assign security responsibilities to project team members and establish security checkpoints at each project phase
- 4.Review and approve security controls during project execution, not just at the end
- 5.Validate that security controls are implemented and effective before project sign-off
- 6.Maintain project records showing how security risks were identified, addressed, and resolved
Evidence auditors look for
- Project charters that explicitly include information security requirements and constraints
- Risk registers documenting security risks identified in the planning phase with assigned mitigation owners
- Project phase gate documentation showing security reviews and approvals at each stage
- Change control logs capturing security-related project changes
- Post-project security audit or validation reports confirming control implementation
- Project team meeting notes demonstrating ongoing security discussion and decision-making
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch embeds security checkpoints directly into your project workflows, automatically flagging when projects move forward without required security approvals and maintaining the audit trail of security decisions across your entire project portfolio.
See how GRCWatch handles this control automatically
Start free trial