Information security in project management
Include security checks in all projects to prevent risks from new systems.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Preventative
🧱 ISO 27001 domain
Organisational controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 Maturity levels
N/A
Information security shall be integrated into project management.
Source: ISO/IEC 27001:2022
Plain language
This control is about making sure that every project considers information security right from the start. If you overlook security in projects, you might end up with new systems or processes that put your organisation at risk of data breaches or downtime.
Why it matters
If security is not built into project plans and stage gates, releases may introduce vulnerabilities and rework, causing delays, cost overruns and incidents.
Operational notes
Define security requirements early, include security deliverables in stage gates (design, build, test, go-live), and track risks/issues in the project register.
Implementation tips
- Project Managers should include information security in the initial project planning. This means thinking about what kind of information the project will handle and what security it needs. They can do this by consulting with an IT manager or security expert to set clear security goals and methods for the project.
- IT Managers should assess and identify security risks at the start of the project. This involves evaluating what could go wrong in using new systems or procedures and finding ways to prevent those issues. Follow the Australian Privacy Act 1988 and other relevant guidance to ensure compliance.
- Security Officers should ensure that everyone involved in the project understands the security requirements. They can organise training sessions to educate team members about their security responsibilities and how to protect sensitive data.
- Project Steering Committees need to monitor the project's security aspects throughout its life cycle. They should schedule regular reviews to check that security measures are on track and working as expected. This might involve testing systems for vulnerabilities or checking logs for signs of unusual activity.
- Legal and Compliance Teams should verify that the project meets legal and regulatory requirements. They can do this by reviewing contracts, policies, and activities to ensure all security aspects align with laws such as the OAIC guidelines.
Audit / evidence tips
-
Ask: Request the project's initial security risk assessment documents.
Good: A comprehensive risk assessment document that identifies risks, analyses their impact, and includes a clear action plan to manage them.
-
Ask: Ask for records of any security training provided to the project team.
Good: Training records that show regular and relevant security training, tailored to the project's context and involving all necessary personnel.
-
Ask: Request documentation of regular security review meetings or audits.
Good: Minutes from meetings that show continuous evaluation of security measures and actions taken to address any identified concerns.
-
Ask: Inquire about security requirements included in project specifications.
Good: Detailed project requirements that incorporate security needs from organisational policies and relevant regulations.
-
Ask: Request any security incident reports related to the project.
Good: Comprehensive incident reports showing prompt and effective response and learnings applied to prevent future occurrences.
Cross-framework mappings
How Annex A 5.8 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| ISM-2033 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
| Partially overlaps (1) | ||
| ISM-1790 | Annex A 5.8 requires that projects incorporate security controls and verification so new or changed systems do not introduce unmanaged risk | |
| Supports (9) | ||
| ISM-0039 | Annex A 5.8 requires information security to be integrated into project management so project outcomes align with security needs | |
| ISM-0041 | Annex A 5.8 requires information security to be integrated into project management activities and decision-making | |
| ISM-0432 | Annex A 5.8 requires projects to embed information security requirements and checks into project activities | |
| ISM-0726 | Annex A 5.8 requires projects to incorporate security risk management and appropriate coordination so risks introduced by change are iden... | |
| ISM-1203 | ISM-1203 requires system owners and authorising officers to conduct a threat and risk assessment for each system | |
| ISM-1420 | Annex A 5.8 requires security to be built into project management, including environment design and testing practices | |
| ISM-1478 | ISM-1478 requires the CISO to oversee the organisation’s cyber security program and ensure compliance with applicable policies, standards... | |
| ISM-1602 | Annex A 5.8 requires integrating information security into how projects are run, including ensuring stakeholders follow security requirem... | |
| ISM-2084 | ISM-2084 requires AI-specific documentation to capture model characteristics, architectures, use cases and security risks | |
| Related (1) | ||
| ISM-1998 | ISM-1998 requires executive leadership to ensure cyber security is integrated throughout all business functions within the organisation | |