We are currently busy with implemeting the ISO 27001 standard in our organization. Everything is going well, except we have a question about one of the controls, which isn't quite clear to us. The control is about information security in project management (it is in Annex A, paragraph A.6.1.5). This control isn't quite clear and we would like to ask you if you can give us some examples on it.
Answer: The standard only says that you need to address information security in any type of the project - this means you have to make sure that the information is protected in all your projects. Usually, this can be done the following way:
- include security objectives in overall project objectives
- Include security specifications in your project description
- perform a risk assessment specifically for the project you are to undertake
- make sure security rules/technology are included in all the steps/tasks of the project
- test if the project deliverables are compliant with security specifications