One of the new requirements in ISO 27001 2013 is considering security in project management. The standard clause is as follows:
“A.6.1.5 – Information security in project management – Information security shall be addressed in project management, regardless of the type of the project”
Source: ISO 27001-2013
The implication of this clause applies to all types of projects and not simply ‘IT’ projects. This can be also be interpreted as security ‘of the project, by the project and for the project’.
In any organisation there are several business units and teams with multiple focus areas working in unison to fulfil business objectives. Depending on the type of business your departments can be core customer facing services, revenue generating services, manufacturing, Information Technology, application development, Physical security, Human resources, legal and Finance department(not exhaustive). The work ‘project’ has different meaning to each of them.
How to implement?
In order to implement this clause organisations can take several approaches.
One approach is to involve security manager (if you have one) in each and every project. This way every time a team conceptualises a project – the security manager is involved in assessment and articulation of security requirement.
The other approach is to help and make managers trained on security requirement analysis as part of any project requirement.
Irrespective of who or how an organisation implements this, the ability to correlate with one or more of the ISO 27001 114 controls should be understood. A direct question can be – ‘does the project need additional security to be implemented’? A simplistic view could be physical, technical, human resource or procedural requirements. A more complex view such as product implementation or an application development may require more step by step documentation of issues.
The process implementation is evident when teams managing projects are able to articulate there security requirements which will take the form people, process or technology changes.
If the clause is implemented correctly this will address security at the design phase. This will also minimise (if not completely eliminate) security as an afterthought.
Hope this help!