My question is, do we have to consider Information security in project management separately. I mean we have already IT Security policy, and other policies, where we described how to work with information securely. Should it also stay in e.g. Project management Handbook? Or may be we can write in Project management Handbook: you have to follow these policies?
The need to consider Information security in project management separately will depend on the results of risk assessment and applicable legal requirements (e.g., laws, regulations, and contracts).
For example, some projects may require the implementation of technologies not used in your organization at large, so it would not make sense to write a corporate policy. Other projects, by force of contracts, may require that all information security is under project context. In case these situations do not occur, then you can make projects refer to the corporate documents