Answer: Unfortunately we do not have a template or tool covering specifically Information Security in Project Management (this specific document is not mandatory for ISO 27001), but there are many similarities with implementing an ISMS that you can use to drive the implementation of this control in a specific project:
1 – You have to define information security objectives, the same way you define information security objectives for an ISMS aligned with organization's objectives, the only difference is that these objectives are restricted to the scope of the project
2 – You have to perform at the beginning, and periodically, information risk assessments in the project, like you would do it with other business processes, to identify necessary controls
3 – You have to ensure that information security practices are part of all phases of the project (e.g., from the issue of the project charter to project closing)
In short, you can think the inclusion of information security in project management as if you are going to implement a small ISMS that will fit the projects needs and will be proportional to the project's lifetime and budget.
>I read the answer..
>Inshort we need to make sure that all the other development projects that we undertake in the company should have risk assessment done somewhere in the project charter or project plan.
>or may be some document that does the project requirement analysis and identify the risks before initiating the design phase
>Correct me if I am wrong..
Answer: You must consider risk assessment in all phases of the projects (initiation, planing, execution, control and closing). The better way to ensure that is, as you assumed, by using a document to define how risks must be assessed and treated and when risk assessments must be performed. And the better part is that you can use the same risk assessment and treatment methodology you adopted for your organization (remember, the process is the same, either for the whole organization or for a single project, the difference being only that the project's scope is smaller than of the organization's).