Establishing Information Security in Project Management

A person recently asked me if it was possible to implement ISO 27001 using a specific project management software product. They used the tool in the past to define project plans and make project reviews. While I told them this is entirely possible, the truth is one can implement ISO 27001 even without a project plan or any specific tools. But should they?

ISO 27001 and Information Security in Project Management

The point is that many people do not treat the implementation of ISO 27001 as a project. What is worse, the majority see this security standard as just another document kit. They believe information security could be established just by making their employees scan a set of documents. Of course, this is an entirely incorrect concept of ISO 27001. To establish information security within an organization, we need to implement a set of specifically defined procedures. This is also analogous to establishing information security within project management itself. While most think that ISO 27001 is merely a document or a project plan a manager needs to quickly scan before the project starts, this could not be further from the truth. What we actually need to do is clearly define a guide for the implementation of information security during the entirety of the project management life cycle. Unfortunately, a lot of people find it difficult to understand what information security in project management entails. But the concept is fairly easy to grasp - protect information related to project management from an information security point of view.

How Can We Establish Information Security in Project Management?

To properly protect information around any project, we need to focus on securing the information that is essential to the management of a specific project (information related to the project itself, business, resources, personal data, etc). Furthermore, it is extremely important to identify the classification of the information because its value is not always the same. For example, names and surnames are treated as public, while information on employee salaries is considered private. But even though some information is considered public, we need to protect it regardless. The obvious reason is it could be modified without our permission. For example, an e-commerce website would see a significant decrease in revenue if one was to modify their public information by increasing product prices by $100. Therefore, one important thing to focus on would be the identification of information in your project, i.e. defining the classification of information and considering that not all information should be treated equally. Now let us take a closer look at how ISO 27001 helps with establishing information security in project management.

Managing Projects in Accordance With ISO 27001

The most important aspect of ISO 27001 is risk management, which is a crucial point if you want to manage projects according to this information security standard. Annex A of ISO 27001 includes a specific control regarding risk management (“A.6.1.5 Information security in project management”) according to which you would need to define the following points:

• Clearly define roles and responsibilities related to information security (CISO, information security auditors, developers, systems administrators, etc.).
• Define information security objectives. Reduce the number of incidents and improve confidentiality of external access to the information, etc.
• Perform risk assessment and risk treatment. For example, risks related to a source code in software development or risks related to the entire IT infrastructure of a company, etc.
• Develop specific policies for information security of a project. If the project is related to software development, it might be wise to develop a policy related to writing software code in a secure way.

Benefits of Information Security in Project Management

Clearly, there are a lot of risks when it comes to establishing information security in project management. Although these could be hazardous to your project, the good news is you can easily avoid them. You just need to clearly define information security throughout the entire project life cycle. Risk management is the ultimate tool to pinpoint what you need to change in your project to avoid problems and execute it securely. Some might wonder whether it was possible to execute a project without considering information security. Obviously, one can manage a project without establishing proper infosec, but there will be a much higher probability of failure. From a professional viewpoint, and since information security should be of the highest importance to any project manager, the main benefit of secure project management is painstakingly clear: avoidance of any potential breaches of information security within a project. Fortunately, ISO 27001 is specifically designed to establish proper information security while having a specific control regarding the treatment of information security in project management. Therefore, ISO 27001 can be an excellent tool for executing secure projects within your organization.

---

About the Author: Antonio Jose Segovia (@ajosesegovia) is a computer engineer and an international expert at Advisera – one of the leading providers of documentation, online support, books, and courses for implementing various industry standards. Antonio is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as an expert in information security, an ethical hacker, and a university professor in a Master of Information Security online program. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.