Implementing ISO 27001 Annex A 5.8 is the structured integration of information security into project management frameworks to ensure risks are addressed at every phase of the lifecycle. It requires organizations to embed security gates, define explicit non-functional requirements, and perform mandatory vulnerability assessments before project delivery to prevent the deployment of insecure systems.
ISO 27001 Annex A Information security in project management Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.8. Compliance with this control requires integrating security checkpoints into your actual project lifecycle—whether Waterfall or Agile—rather than filling out retrospective forms in a GRC dashboard.
1. Update the Project Management Framework
Control Requirement: Information security shall be integrated into project management.
Required Implementation Step: Open your organization’s Project Management Policy or Handbook. Insert a mandatory “Security Gate” clause that forbids any project from passing the “Initiation” phase without a signed Security Triage form. This ensures security is a constraint, not an afterthought.
Minimum Requirement: A published version of the Project Management Policy containing the phrase “Security approval is required at Initiation and Closure phases.”
2. Embed Security in the Project Charter
Control Requirement: Information security risks must be identified at the start of the project.
Required Implementation Step: Modify your standard “Project Charter” or “Project Initiation Document” (PID) Word template. Add a section titled “Security Classification”. This section must force the Project Manager to tick one of three boxes: Public, Internal, or Confidential, based on the data the project will handle.
Minimum Requirement: A Project Charter template with a mandatory Data Classification field.
3. Execute the Security Impact Assessment (SIA)
Control Requirement: Information security implications must be addressed.
Required Implementation Step: Before code is written or vendors are signed, the Project Manager must complete a “Security Impact Assessment” spreadsheet. This lists the data types, volume, and regulatory requirements (e.g., GDPR, PCI-DSS). Store this in the project’s secure documentation folder, not a GRC tool.
Minimum Requirement: A completed SIA for every active project, stored in the project’s primary file repository.
4. Define Explicit Security Requirements
Control Requirement: Information security requirements shall be included in the project requirements.
Required Implementation Step: Translate the SIA findings into technical requirements. If the project handles PII, write the requirement: “All database backups must be encrypted at rest using AES-256.” Add these as “Non-Functional Requirements” (NFRs) in the project scope document or Jira backlog.
Minimum Requirement: A Requirements Document or Jira Epic listing specific technical security controls (e.g., MFA, Encryption, Logging).
5. Appoint a Project Security Champion
Control Requirement: Roles and responsibilities for information security in projects shall be defined.
Required Implementation Step: Assign a specific member of the project team (e.g., a Lead Developer or Architect) as the “Security Champion”. Their duty is to ensure the security requirements defined in Step 4 are actually built. Document this assignment in the Project Organisation Chart.
Minimum Requirement: Meeting minutes from the Project Kick-off explicitly naming the Security Champion.
6. Secure the Project Environment
Control Requirement: The project environment itself must be secure.
Required Implementation Step: Restrict access to the project’s working files (SharePoint, Google Drive, Jira). Only active project team members should have “Edit” access. Review this access list monthly. Do not allow “Everyone in Company” access to project folders containing sensitive specifications.
Minimum Requirement: Screenshot evidence of folder permissions restricted to the named project team only.
7. Update the ‘Definition of Done’ (Agile/DevOps)
Control Requirement: Security controls must be implemented and verified.
Required Implementation Step: If using Agile, edit the “Definition of Done” (DoD) in your issue tracker (e.g., Jira/Azure DevOps). Add a line item: “Security Review Complete” or “Static Code Analysis Passed”. No story can be closed until this checkbox is ticked.
Minimum Requirement: A screenshot of a closed Jira ticket showing the “Security Check” criteria marked as complete.
8. Perform Pre-Go-Live Vulnerability Testing
Control Requirement: Verification that security requirements have been met.
Required Implementation Step: Schedule a vulnerability scan or a manual penetration test for the new system/process one week before the launch date. This is a technical validation that the requirements from Step 4 work in reality. Fix all “Critical” and “High” issues before launch.
Minimum Requirement: A clean vulnerability scan report dated prior to the Go-Live date.
9. Sign the ‘Go / No-Go’ Security Declaration
Control Requirement: Formal acceptance of security risks.
Required Implementation Step: Create a “Go-Live Authorization” email or document. The Project Manager must state: “All security requirements are met.” The CISO or IT Security Manager must reply with “Approved.” Without this specific approval, the project cannot go into production.
Minimum Requirement: An archived email chain showing explicit Security approval for the Go-Live.
10. Conduct Post-Implementation Security Review
Control Requirement: Lessons learned should be identified.
Required Implementation Step: Two weeks after launch, hold a “Lessons Learned” meeting. Specifically ask: “Did we miss any security requirements?” and “Were there any near-misses?” Document the answers in the Project Closure Report and update the template from Step 3 if necessary.
Minimum Requirement: A Project Closure Report with a specific paragraph titled “Security Lessons Learned”.
ISO 27001 Annex A 5.8 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Project Initiation | GRC tools ask you to “Register a Project” in their portal. | Failure: Real projects live in Jira, Asana, or Excel. No Project Manager will log into a GRC tool to double-entry data. The GRC record becomes a ghost town. |
| Risk Assessment | The tool provides a generic “Project Risk” drop-down menu. | Failure: Generic menus miss context. A migration to a new payroll provider has vastly different risks than a website redesign. You need a custom SIA, not a drop-down. |
| Security Requirements | The tool offers a “Link to Control” button. | Failure: Linking “Annex A 5.8” to a project name doesn’t tell a developer to “Enable TLS 1.3”. Real compliance requires technical specs in the backlog, not links in a dashboard. |
| Access Control | The tool secures its own “Project Module”. | Failure: The GRC tool is secure, but the actual project data in Google Drive is wide open to the whole company. Auditors check the working files, not the compliance tool. |
| Agile Integration | The tool has no concept of Sprints or Backlogs. | Failure: Modern teams move fast. If security isn’t in the Definition of Done in Jira, it doesn’t happen. A separate GRC “Checklist” will be ignored by developers. |
| Go-Live Sign-off | An automated “Project Complete” button. | Failure: Clicking “Complete” is not evidence. You need a paper trail (email/signature) proving the Security Team actually reviewed the test results and authorized the launch. |
| Audit Evidence | “See GRC Tool Project List”. | Failure: The auditor wants to see the Pen Test Report and the Project Charter. If these are not attached to the record, the GRC list is just empty claims. |
DO IT YOURSELF ISO 27001
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
About the author
