In this ultimate how to audit guide to ISO 27001 Annex A 5.8 Information Security in Project Management, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Project Management Methodology Integration Verified
- 2. Information Security Risk Assessment Completion Validated
- 3. Security Requirements Specification Records Present
- 4. Information Security Role Assignment Confirmed
- 5. Secure Development and Implementation Standards Verified
- 6. Project Milestone Approval via Security Gates Validated
- 7. Data Protection Impact Assessment (DPIA) Execution Verified
- 8. Post-Project Security Review and Handover Confirmed
- 9. Third-Party Project Security Requirements Verified
- 10. Project Asset Integration into Asset Register Verified
Auditing ISO 27001 Annex A 5.8 Information Security in Project Management is the systematic verification that security controls are integrated into project lifecycles. This process validates the Primary Implementation Requirement of defining and testing security requirements from initiation to closure. The Business Benefit ensures secure-by-design deliverables, preventing costly retrofits and mitigating operational risks.
1. Project Management Methodology Integration Verified
Verification Criteria: The organisation’s formal project management framework explicitly includes information security as a mandatory component for all project types.
Required Evidence: Documented Project Management Policy or Framework (e.g., PRINCE2 or Agile adaptation) showing security integration points.
Pass/Fail Test: If the project management handbook does not mention information security as a core requirement for project initiation, mark as Non-Compliant.
2. Information Security Risk Assessment Completion Validated
Verification Criteria: Every project initiated within the audit period has a recorded information security risk assessment conducted at an early stage.
Required Evidence: Project Risk Registers or Impact Assessments for at least three sampled projects, showing identified security risks and treatment plans.
Pass/Fail Test: If a major project has been initiated without a preliminary security risk assessment, mark as Non-Compliant.
3. Security Requirements Specification Records Present
Verification Criteria: Information security requirements are clearly defined within the project specification or “Definition of Done” (DoD) for technical deliverables.
Required Evidence: Project Requirement Specifications or User Stories containing specific security criteria (e.g., encryption, authentication, or logging needs).
Pass/Fail Test: If project deliverables are defined solely by functional features without explicit security constraints, mark as Non-Compliant.
