Information Security Guidelines for Project Management
ISO/IEC 27001 Toolkit: Version 10 ©CertiKit
Information Security Guidelines for Project Management [Insert classification]
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This document sets out the organization’s guidelines to ensure that information security receives proper consideration throughout the project management process.
Areas of the standard addressed The following areas of the ISO/IEC 27001:2013 standard are addressed by this document: •
A.6 Organization of information security o A.6.1 Internal organization ▪ A.6.1.5 Information security in project management
General guidance The methods and controls set out in this document should become a standard part of the way you manage projects. Although this is a separate document it would be helpful to try to integrate its contents into your project management method so that information security is seen as a key aspect to be included by default, rather than as an after-thought.
Review frequency We would recommend that this document is reviewed annually and upon significant change to the organization.
Version 1
Page 2 of 14
[Insert date]
Information Security Guidelines for Project Management [Insert classification]
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Version 1
Page 3 of 14
[Insert date]
Information Security Guidelines for Project Management [Insert classification]
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 14
[Insert date]
Information Security Guidelines for Project Management [Insert classification]
Information Security Guidelines for Project Management
Version 1
DOCUMENT CLASSIFICATION
[Insert classification]
DOCUMENT REF
ISMS-DOC-A06-3
VERSION
1
DATED
[Insert date]
DOCUMENT AUTHOR
[Insert name]
DOCUMENT OWNER
[Insert name/role]
Page 5 of 14
[Insert date]
Information Security Guidelines for Project Management [Insert classification]
Revision history VERSION
DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Distribution NAME
TITLE
Approval NAME
Version 1
POSITION
SIGNATURE
Page 6 of 14
DATE
[Insert date]
Information Security Guidelines for Project Management [Insert classification]
Contents 1
Introduction.............................................................................................................. 8
2
Information security guidelines for project management ........................................... 9 2.1
Proposal ...................................................................................................................... 9
2.2
Planning .................................................................................................................... 10
2.2.1 2.2.2 2.2.3 2.2.4 2.2.5
3
Information security roles and responsibilities ............................................................................ 10 Information security objectives .................................................................................................... 10 Risk assessment ............................................................................................................................ 11 Privacy impact assessment ........................................................................................................... 11 Selection of controls ..................................................................................................................... 11
2.3
Design and execution ................................................................................................. 12
2.4
Transition .................................................................................................................. 12
2.5
Project closure ........................................................................................................... 12
Conclusion .............................................................................................................. 14
Tables Table 1: Information security roles and responsibilities ............................................................... 10
Version 1
Page 7 of 14
[Insert date]
Information Security Guidelines for Project Management [Insert classification]
1 Introduction It is vitally important that the organizations information assets are always protected, and this is no less true when running a project to achieve business change. These guidelines apply to projects that cover the whole spectrum of business operations and are not limited to those with a significant IT involvement. [Organization Name] maintains an Information Security Management System (ISMS) which complies with the ISO/IEC 27001:2013 international standard. In order to ensure that this ISMS remains effective on an ongoing basis it is essential that major business changes which are managed as projects address the issue of how information security will be maintained both during the project and once the project has been delivered. This document provides guidance regarding how this should be achieved. This control applies to all projects, systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems. The following policies and procedures are relevant to this document: • • • • •
Access Control Policy Mobile Device Policy User Access Management Process Cryptographic Policy Privacy and Personal Data Protection Policy
Version 1
Page 8 of 14
[Insert date]
Information Security Guidelines for Project Management [Insert classification]
2 Information security guidelines for project management According to [Organization Name] standards the main stages of the project management process are: 1. Proposal: a business case is created for the project and submitted to executive management for approval 2. Planning: approved projects will then be initiated, including the formation of the project team, setting of objectives, creation of the project initiation document and initial project planning. These will be passed through the project board for approval 3. Design and execution: the deliverables of the project will then be created by the project team in line with the approved plan. Risks and issues will be managed, and progress reports delivered to the project board 4. Transition: once tested and accepted the project will move into live operation and the benefits begin to be realised 5. Project closure: the project will then be reviewed and formally closed. This happens after a variable period of time defined by the project board The information security considerations of each of these stages are described in this document. These considerations must be taken into account as part of each and every project and their implementation will be subject to later internal and external audit.
2.1 Proposal The project proposal document itself is likely to contain sensitive commercial information and so must be labelled and protected appropriately as part of the ISMS classification scheme (see Information Security Classification Procedure). This may place restrictions on the printing of the document and where it is held electronically. Supporting information such as costing, and resource implications must also be protected in the same way. The contents of the proposal will obviously vary significantly according to the subject area, but the following considerations should be included in the proposal where appropriate: • • • •
Significant risks to information security that may be introduced by the proposal and a plan to treat them The classification of information that is to be processed or handled as part of the proposal Any additional project costs involved with maintaining or improving information security e.g. hardware. software, people Information security benefits likely to result from the proposal e.g. risk reduction or avoidance
Version 1
Page 9 of 14
[Insert date]
Information Security Guidelines for Project Management [Insert classification]
These aspects must be included at the outset in order to avoid the situation where information security controls have to be retro-fitted after the project, with little or no available budget or the organization is exposed to an unacceptable level of risk.
2.2 Planning 2.2.1 Information security roles and responsibilities Whilst information security is everyone’s responsibility, there are a number of key roles within a typical project which have specific information security responsibilities. These are:
ROLE
RESPONSIBILITIES
Project Sponsor
Champion and emphasise the importance of good information security within the project. Set information security objectives.
Project Manager
Perform project risk assessments for information security. Select specific controls based on the results of the risk assessments. Report to the Project Sponsor on breaches.
Project Administrator
Ensure that information security controls within the project are maintained effectively.
Table 1: Information security roles and responsibilities
2.2.2 Information security objectives As part of the planning stage of the project the information security objectives should be set. These may be included in the same section of the project initiation document as other types of objectives and in the same format. Where possible the objectives should be SMART. An example information security objective might be: “to ensure no sensitive information regarding the nature of the project’s deliverables becomes public knowledge prior to the official launch on 15th November 20xx” Any information security-related constraints, assumptions and dependencies should also be stated in the project initiation document.
Version 1
Page 10 of 14
[Insert date]
Information Security Guidelines for Project Management [Insert classification]
2.2.3 Risk assessment An effective risk assessment should be carried out at several stages of the project and information security risks should represent a key part of these assessments. Each assessment should consider the assets and deliverables of the project, their vulnerabilities and the threats that they face during the project. These will include threats to their confidentiality, integrity and availability.
2.2.4 Privacy impact assessment In accordance with its Privacy and Personal Data Protection Policy, [Organization Name] has adopted the principle of privacy by design and the definition and planning of all new or significantly changed systems that collect or process personal data must be subject to due consideration of privacy issues, including the completion of one or more privacy impact assessments. The privacy impact assessment will include: • • • •
Consideration of how personal data will be processed and for what purposes Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s) Assessment of the risks to individuals in processing the personal data What controls are necessary to address the identified risks and demonstrate compliance with legislation
Use of techniques such as data minimization and pseudonymisation should be considered where applicable and appropriate.
2.2.5 Selection of controls Based on the risks that are identified by the risk and privacy impact assessments that require treatment, appropriate controls will be selected by the project manager. These controls may be in the form of policies, procedures, software or other suitable ways of addressing the risks effectively. The controls should be documented, and all members of the project team made aware of them and the reasons why they have been put in place. Any more detailed training in the controls should be carried out prior to the project getting underway.
Version 1
Page 11 of 14
[Insert date]
Information Security Guidelines for Project Management [Insert classification]
2.3 Design and execution The controls that have been put in place as part of the planning stage should ensure that the information security risks are managed, and the objectives achieved. It may be necessary to update any members of the project team that join after the initial training was delivered. Any third parties involved in the project should also be made aware of the policies and controls that are in place. Risk management should be a standard item on the agenda of each project meeting and any changes to risks, including the addition of new ones, should be made as soon as they are identified. Any required changes to controls should also be put in place as soon as possible to ensure the continued security of the project’s sensitive information. Any information security breaches within the project should be notified to the project manager as soon as possible. The project manager will then decide what action to take based on the incident’s severity, including the escalation of the incident to the project sponsor.
2.4 Transition The transition of a project into live running is an event that can be complicated and stressful, and it is important that enough thought is given by the project team to how information security will be maintained during this period of intensive change. The project must ensure that enough testing has been carried out to check that the security controls defined as deliverables of the project work as intended and that adequate training in them has been delivered to the people involved in maintaining them. If the project is to be implemented in phases, the project manager must ensure that adequate information security controls are in place during each phase and that security is not compromised in the interests of convenience or speed. Formal signoff that the information security aspects of the project have been successfully delivered should be obtained as part of the transition into ongoing support. The project manager should also consider whether it would be appropriate to engage a suitable third party to conduct an audit of the security aspects of the delivered project.
2.5 Project closure Once the project has been implemented and signed off, a project review meeting will be held to discuss the lessons learned during the project. This is an excellent opportunity to raise any information security-related issues that occurred and to define the best way of preventing them in future projects. Version 1
Page 12 of 14
[Insert date]
Information Security Guidelines for Project Management [Insert classification]
Areas for discussion should be: • • • • •
Were the information security objectives complete and accurate? Were all of the relevant risks identified? How successfully were security controls applied? Were there any security breaches during the project and how did they arise? Was the balance between security and convenience set about right?
The lessons learned should be documented and any recommended procedural changes incorporated into the project management method for future projects.
Version 1
Page 13 of 14
[Insert date]
Information Security Guidelines for Project Management [Insert classification]
3 Conclusion These guidelines set out the basics of how information security should be considered as part of the overall framework of project management within [Organization Name]. This involves the creation almost of a “mini-ISMS� within the project to ensure that risks are identified and managed through the use of appropriate controls. The scope and importance of projects will obviously vary, and the degree of control adopted should remain appropriate to the level of risk involved. Remember however that a small project can still require strong information security if the subject of the project is very sensitive. Only by applying best practice can we ensure that the security of our information remains protected and the project team can focus on delivering the benefits set out in the business case.
Version 1
Page 14 of 14
[Insert date]