Information security in project management
Include security checks in all projects to prevent risks from new systems.
Plain language
This control is about making sure that every project considers information security right from the start. If you overlook security in projects, you might end up with new systems or processes that put your organisation at risk of data breaches or downtime.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Information security shall be integrated into project management.
Why it matters
If security is not built into project plans and stage gates, releases may introduce vulnerabilities and rework, causing delays, cost overruns and incidents.
Operational notes
Define security requirements early, include security deliverables in stage gates (design, build, test, go-live), and track risks/issues in the project register.
Implementation tips
- Project Managers should include information security in the initial project planning. This means thinking about what kind of information the project will handle and what security it needs. They can do this by consulting with an IT manager or security expert to set clear security goals and methods for the project.
- IT Managers should assess and identify security risks at the start of the project. This involves evaluating what could go wrong in using new systems or procedures and finding ways to prevent those issues. Follow the Australian Privacy Act 1988 and other relevant guidance to ensure compliance.
- Security Officers should ensure that everyone involved in the project understands the security requirements. They can organise training sessions to educate team members about their security responsibilities and how to protect sensitive data.
- Project Steering Committees need to monitor the project's security aspects throughout its life cycle. They should schedule regular reviews to check that security measures are on track and working as expected. This might involve testing systems for vulnerabilities or checking logs for signs of unusual activity.
- Legal and Compliance Teams should verify that the project meets legal and regulatory requirements. They can do this by reviewing contracts, policies, and activities to ensure all security aspects align with laws such as the OAIC guidelines.
Audit / evidence tips
-
AskRequest the project's initial security risk assessment documents.
GoodA comprehensive risk assessment document that identifies risks, analyses their impact, and includes a clear action plan to manage them.
-
AskAsk for records of any security training provided to the project team.
GoodTraining records that show regular and relevant security training, tailored to the project's context and involving all necessary personnel.
-
AskRequest documentation of regular security review meetings or audits.
GoodMinutes from meetings that show continuous evaluation of security measures and actions taken to address any identified concerns.
-
AskInquire about security requirements included in project specifications.
GoodDetailed project requirements that incorporate security needs from organisational policies and relevant regulations.
-
AskRequest any security incident reports related to the project.
GoodComprehensive incident reports showing prompt and effective response and learnings applied to prevent future occurrences.
Cross-framework mappings
How Annex A 5.8 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| handshake Supports (8) expand_less | ||
| ISM-0039 | Annex A 5.8 requires information security to be integrated into project management so project outcomes align with security needs | |
| ISM-0041 | Annex A 5.8 requires information security to be integrated into project management activities and decision-making | |
| ISM-0432 | Annex A 5.8 requires projects to embed information security requirements and checks into project activities | |
| ISM-0726 | Annex A 5.8 requires projects to incorporate security risk management and appropriate coordination so risks introduced by change are iden... | |
| ISM-1203 | ISM-1203 requires system owners and authorising officers to conduct a threat and risk assessment for each system | |
| ISM-1420 | Annex A 5.8 requires security to be built into project management, including environment design and testing practices | |
| ISM-1478 | Annex A 5.8 requires project management to systematically incorporate information security activities and checks into projects | |
| ISM-1602 | Annex A 5.8 requires integrating information security into how projects are run, including ensuring stakeholders follow security requirem... | |
| link Related (5) expand_less | ||
| ISM-0597 | Annex A 5.8 requires information security to be integrated into project management, including planning and design decisions that affect s... | |
| ISM-1790 | Annex A 5.8 requires information security to be integrated into project management so security requirements and checks are applied when d... | |
| ISM-1998 | ISM-1998 requires executive leadership to ensure cyber security is integrated throughout all business functions within the organisation | |
| ISM-2033 | Annex A 5.8 requires information security to be integrated into project management so security is considered and checked throughout proje... | |
| ISM-2084 | Annex A 5.8 requires information security to be integrated into project management so project delivery considers security risks and controls | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.