In this ultimate how to audit guide to ISO 27001 Annex A 5.8 Information Security in Project Management, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Inspect Project Initiation Documentation (PID)
- 2. Audit Project Risk Assessments
- 3. Verify Security Requirement Specifications
- 4. Audit the Secure Development Lifecycle (SDLC) Integration
- 5. Examine Third-Party Risk Assessments
- 6. Validate User Acceptance Testing (UAT) for Security
- 7. Audit IAM Provisioning within Projects
- 8. Inspect Project Change Management Records
- 9. Review Data Migration and Disposal Records
- 10. Evaluate Project Post-Implementation Reviews (PIR)
- ISO 27001 Annex A.5.8 Audit Reference Matrix
- Common SaaS and GRC Platform Audit Failures for Annex A.5.8
Auditing ISO 27001 Annex A.5.8 is the systematic verification that information security risks and requirements are embedded into project management methodologies. This audit validates the Primary Implementation Requirement that security is treated as a core project stream from initiation to closure, rather than a post-implementation fix. The Business Benefit is the delivery of secure-by-design solutions and the avoidance of costly retrofitting delays.
Auditing ISO 27001 Annex A.5.8 requires a technical deep dive into how information security is integrated into the project management lifecycle. An auditor will verify that security is not an afterthought but a core requirement from the initiation phase through to closure. This involves inspecting project mandates, risk assessments, and technical deliverables to ensure that “Security by Design” is a functional reality rather than a policy aspiration.
1. Inspect Project Initiation Documentation (PID)
Review the project initiation records for a sample of recent projects to ensure that information security objectives were defined at the outset.
- Verify that security requirements are listed alongside functional requirements in the project mandate.
- Check for the appointment of a designated Security Lead or Architect within the project team structure.
- Ensure that the project scope explicitly includes compliance with the Information Security Policy.
2. Audit Project Risk Assessments
Formalise the review of project-specific risk registers to confirm that security risks are identified, assessed, and treated throughout the project lifecycle.
- Trace identified risks to the main ISMS Risk Register where significant impact is noted.
- Verify that technical risks, such as those involving MFA bypass or data leakage, are addressed.
- Confirm that risk treatment plans have been signed off by the appropriate Asset Owner.
3. Verify Security Requirement Specifications
Examine the technical specifications for project deliverables to ensure that specific security controls are documented and measurable.
- Check for requirements related to data encryption (at rest and in transit) and IAM role definitions.
- Ensure that “Privacy by Design” principles are incorporated for projects involving personally identifiable information (PII).
- Validate that security performance metrics are included in the acceptance criteria.
