ISO27001:2022 - Annex A 5.8 - What’s changed?

Threats to your organisation’s privacy and security are continuously on the rise, and it's more vital than ever to ensure your organisation implements measures to combat these threats. ISO27001 as a standard lays out the requirements to implement an efficient information security system within your organisation and with the introduction of the 2022 version of the ISO27001 standard, these requirements have been recategorised and further clarified. Annex A 5.8 is about information security in project management.

What is information security in project management?

Information security is something that should permeate every aspect of your organisation and its processes, and this includes project management. Throughout the entirety of a project lifecycle, sensitive information and systems should be protected by following the necessary processes and procedures established by your organisation to identify and mitigate potential cybersecurity risks. This includes the safeguarding of project plans, client data, financial records, proprietary information, and any other information deemed critical to the project’s success and integrity. The goal of this is to ensure that the confidentiality, integrity, and availability of information is preserved in line with information security requirements.

One of the core areas regarding this is risk management. Project managers should ensure they are identifying possible threats to the assets surrounding the project, assessing their likelihood and impact, and implementing appropriate measures to mitigate them. This should be done continually throughout each stage of the project, and reviewed to ensure their efficacy. Some measures implemented on project data and systems might include:

• Encryption
• Secure authentication processes
• Regular security audits
• Employee training on information security and data protection

What is Annex A 5.8?

Annex A 5.8 is all about information security in project management and its purpose is to ensure that information security is taken into account all throughout the project management process. Project managers should be implementing measures to protect projects from threats, assess risks, and mitigate them. These measures should be documented in policy and procedure and upheld across all projects in your organisation. Different stakeholders, internal and external, should be involved and follow these measures.

This control wants you to ensure that all throughout your projects:

• Information security risks are assessed, identified, and treated from the very beginning of the project.
• Information security risks tied to project execution are identified and addressed. For example, secure authentication and access to systems.
• Various security requirements are identified and addressed early in the project. For example, application security requirements.
• The effectiveness of risk treatment is tested and evaluated throughout the project.

Information security measures could, for example, be featured in a project checklist to ensure continuity and consistency across your operations. This also serves as good evidence for auditors in your ISO27001 audit, as they will be looking for evidence that information security measures are embedded throughout the entire project lifecycle within your organisation.

Implementing information security measures in projects is crucial for your compliance with multiple standards and to improve your overall security based on the latest guidance and advice. One such example of this requirement features in the NHS DSP (Data Security and Protection Toolkit), a self-assessment tool that must be completed by any organisation that wishes to access NHS data or systems which has controls specifically referring to information security throughout the project lifecycle. For example, information security in project management is explicitly stated in evidence 1.3.7 which states that at minimum, procedures should incorporate GDPR principles and appropriate measures to protect personal data and that this should be enforced all the way through the project lifecycle. This should be embedded in your organisation’s business practices and processing activities by default.

So what’s changed?

ISO27002 is a standard closely aligned to ISO27001, and is essentially guidance on how to effectively implement an ISMS to ISO27001 standards. We can compare the changes in ISO27002 guidelines for each control to concretely ascertain what has changed with the ISO27001 version of the control. In terms of the 2013 standard, this control consolidates two different controls: Annex A 6.1.5, Information Security in Project Management, and Annex A 14.1.1, Information Security Requirements Analysis & Specification.

With regards to A5.8, in the 2013 version there were three guidelines for managing information security throughout a project, and in the 2022 version there are now four items instead of three that project managers should be aware of, as stated earlier. Otherwise, this is largely a consolidation of A6.1.5 and A14.1.1 and doesn’t tread any new territory. This, overall, has made this control and the standard more user friendly and straightforward to implement.

How Harpe can help you implement Annex A 5.8

Our security professionals have developed Harpe, a revolutionary tool to cover all your organisation’s security needs. Harpe is the best tool on the market to make compliance with important standards like Cyber Essentials and ISO27001 quick and hassle-free. Harpe features guidance for implementing ISO27001 to the updated 2022 standard with everything you need. Our in-app checklist takes you through every step to implement a robust and secure ISMS within the new requirements.

Harpe features a robust risk register to allow you to complete risk assessments for your projects and general operations. Assessing the risks to your information security is a key part of project management, and Harpe makes logging and tracking these simple and straightforward, as it should be.

Upload documents into our dedicated Docs page, keeping track of the necessary policies and procedures to your organisation. Your employees can view these to keep on top of the guidelines you’ve put in place for keeping projects and systems secure all throughout the project lifecycle!

With constant updates and fast support, there has never been a better time to chase an ISO27001:2022 certification with Harpe.

‍

_{Image designed by Freepik}