GRCWatch
Sign inStart free trial

ISO 27001 Control 5.8: Information Security in Project Management

Information security risks don't pause between projects—they compound them. ISO 27001 control 5.8 requires you to weave security requirements, assessments, and oversight into every phase of project delivery, from initiation through closure. This control ensures your organization treats security as a project constraint, not an afterthought.

What this means

Control 5.8 mandates that information security be a core component of your project management processes. Rather than bolting security on at the end, you must identify and manage information security risks as part of standard project governance. This includes evaluating security implications during planning, implementing security controls during execution, and validating security outcomes before project closure.

How to comply

  1. 1.Document security requirements in your project charter and scope definitions for all projects handling sensitive information
  2. 2.Conduct information security risk assessments during the project planning phase and integrate findings into risk registers
  3. 3.Assign security responsibilities to project team members and establish security checkpoints at each project phase
  4. 4.Review and approve security controls during project execution, not just at the end
  5. 5.Validate that security controls are implemented and effective before project sign-off
  6. 6.Maintain project records showing how security risks were identified, addressed, and resolved

Evidence auditors look for

  • Project charters that explicitly include information security requirements and constraints
  • Risk registers documenting security risks identified in the planning phase with assigned mitigation owners
  • Project phase gate documentation showing security reviews and approvals at each stage
  • Change control logs capturing security-related project changes
  • Post-project security audit or validation reports confirming control implementation
  • Project team meeting notes demonstrating ongoing security discussion and decision-making

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch embeds security checkpoints directly into your project workflows, automatically flagging when projects move forward without required security approvals and maintaining the audit trail of security decisions across your entire project portfolio.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ISO 27001 5.1 — Policies for Information SecurityISO 27001 5.2 — Information Security Roles and ResponsibilitiesISO 27001 5.23 — Information Security for Supplier RelationshipsISO 27001 8.1 — Operational Planning and Control