Information Security Guidelines for Project Management
ISO/IEC 27001 Toolkit Version 7 ©CertiKit 2016
Information Security Guidelines for Project Management [Insert Classification]
Implementation Guidance (this section must be removed from final version of the document)
Purpose of this document This document sets out the organization’s guidelines to ensure that information security receives proper consideration throughout the project management process.
Areas of the standard addressed The following areas of the ISO/IEC 27001:2013 standard are addressed by this document: Annex A A.6 Organization of information security A.6.1 Internal organization A.6.1.5 Information security in project management
General Guidance The methods and controls set out in this document should become a standard part of the way you manage projects. Although this is a separate document it would be helpful to try to integrate its contents into your project management method so that information security is seen as a key aspect to be included by default, rather than as an after-thought.
Review Frequency We would recommend that this document is reviewed annually and upon significant change to the organization.
Toolkit Version Number ISO/IEC 27001 Toolkit Version 7 ©CertiKit 2016.
Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document):
Version 1
Page 1 of 13
[Insert date]
Information Security Guidelines for Project Management [Insert Classification]
1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select, Select All on the ribbon) 3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions within the Project Resources folder.
Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a trading name of Public I.T. Limited, a company registered in England and Wales with company number 6432088 and registered office at 5 Falcons Rise, Belper, Derbyshire, DE56 0QN.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your
Version 1
Page 2 of 13
[Insert date]
Information Security Guidelines for Project Management [Insert Classification]
country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 3 of 13
[Insert date]
Information Security Guidelines for Project Management [Insert Classification]
[Replace with your logo]
Information Security Guidelines for Project Management
Document Classification: Document Ref. Version: Dated: Document Author: Document Owner:
Version 1
Page 4 of 13
[Insert Classification] ISMS-DOC-A06-3 1 [Insert date]
[Insert date]
Information Security Guidelines for Project Management [Insert Classification]
Revision History Version Date
Revision Author
Summary of Changes
Distribution Name
Title
Approval Name
Version 1
Position
Signature
Page 5 of 13
Date
[Insert date]
Information Security Guidelines for Project Management [Insert Classification]
Contents 1
INTRODUCTION ....................................................................................................................................... 7
2
INFORMATION SECURITY GUIDELINES FOR PROJECT MANAGEMENT.............................. 8 2.1 PROPOSAL ................................................................................................................................................. 8 2.2 PLANNING ................................................................................................................................................. 9 2.2.1 Information Security Roles and Responsibilities ............................................................................ 9 2.2.2 Information Security Objectives ..................................................................................................... 9 2.2.3 Risk Assessment ............................................................................................................................ 10 2.2.4 Privacy Impact Assessment ........................................................................................................... 10 2.2.5 Selection of Controls ..................................................................................................................... 10 2.3 DESIGN AND EXECUTION ........................................................................................................................ 10 2.4 TRANSITION ............................................................................................................................................ 11 2.5 PROJECT CLOSURE .................................................................................................................................. 11
3
CONCLUSION.......................................................................................................................................... 13
List of Tables TABLE 1 - INFORMATION SECURITY ROLES AND RESPONSIBILITIES ............................................................................... 9
Version 1
Page 6 of 13
[Insert date]
Information Security Guidelines for Project Management [Insert Classification]
1 Introduction It is vitally important that the organization information assets are protected at all times and this is no less true when running a project to achieve business change. These guidelines apply to projects that cover the whole spectrum of business operations and are not limited to those with a significant IT involvement. [Organization Name] maintains an Information Security Management System (ISMS) which complies with the ISO/IEC 27001:2013 international standard. In order to ensure that this ISMS remains effective on an ongoing basis it is essential that major business changes which are managed as projects address the issue of how information security will be maintained both during the project and once the project has been delivered. This document provides guidance regarding how this should be achieved. This control applies to all projects, systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems. The following policies and procedures are relevant to this document:
Access Control Policy Mobile Device Policy User Access Management Process Procedure for Remote Supplier Access to Systems Cryptographic Policy Privacy and Personal Data Protection Policy
Version 1
Page 7 of 13
[Insert date]
Information Security Guidelines for Project Management [Insert Classification]
2 Information Security Guidelines for Project Management According to [Organization Name] standards the main stages of the project management process are: 1. Proposal – a business case is created for the project and submitted to executive management for approval 2. Planning – Approved projects will then be initiated, including the formation of the project team, setting of objectives, creation of the project initiation document and initial project planning. These will be passed through the project board for approval 3. Design and Execution – the deliverables of the project will then be created by the project team in line with the approved plan. Risks and issues will be managed and progress reports delivered to the project board 4. Transition – Once tested and accepted the project will move into live operation and the benefits begin to be realised 5. Project Closure - The project will then be reviewed and formally closed. This happens after a variable period of time defined by the project board The information security considerations of each of these stages are described in this document. These considerations must be taken into account as part of each and every project and their implementation will be subject to later internal and external audit. 2.1
Proposal
The project proposal document itself is likely to contain sensitive commercial information and so must be labelled and protected appropriately as part of the ISMS classification scheme (see Information Security Classification Guidelines). This may place restrictions on the printing of the document and where it is held electronically. Supporting information such as costing and resource implications must also be protected in the same way. The contents of the proposal will obviously vary significantly according to the subject area but the following considerations should be included in the proposal where appropriate:
Significant risks to information security that may be introduced by the proposal and a plan to treat them The classification of information that is to be processed or handled as part of the proposal Any additional project costs involved with maintaining or improving information security e.g. hardware. software, people
Version 1
Page 8 of 13
[Insert date]
Information Security Guidelines for Project Management [Insert Classification]
Information security benefits likely to result from the proposal e.g. risk reduction or avoidance
These aspects must be included at the outset in order to avoid the situation where information security controls have to be retro-fitted after the project, with little or no available budget or the organization is exposed to an unacceptable level of risk. 2.2
Planning
2.2.1
Information Security Roles and Responsibilities
Whilst information security is everyone’s responsibility, there are a number of key roles within a typical project which have specific information security responsibilities. These are: Role Project Sponsor
Project Manager
Project Administrator
Responsibilities Champion and emphasise the importance of good information security within the project Set information security objectives Perform project risk assessments for information security Select specific controls based on the results of the risk assessments Report to the Project Sponsor on breaches Ensure that information security controls within the project are maintained effectively
Table 1 - Information security roles and responsibilities
2.2.2
Information Security Objectives
As part of the planning stage of the project the information security objectives should be set. These may be included in the same section of the project initiation document as other types of objectives and in the same format. Where possible the objectives should be SMART. An example information security objective might be: “to ensure no sensitive information regarding the nature of the project’s deliverables becomes public knowledge prior to the official launch on 15th November 20xx” Any information security-related constraints, assumptions and dependencies should also be stated in the project initiation document.
Version 1
Page 9 of 13
[Insert date]
Information Security Guidelines for Project Management [Insert Classification]
2.2.3
Risk Assessment
An effective risk assessment should be carried out at several stages of the project and information security risks should represent a key part of these assessments. Each assessment should consider the assets and deliverables of the project, their vulnerabilities and the threats that they face during the project. These will include threats to their confidentiality, integrity and availability. 2.2.4
Privacy Impact Assessment
In accordance with its Privacy and Personal Data Protection Policy, [Organization Name] has adopted the principle of privacy by design and the definition and planning of all new or significantly changed systems that collect or process personal data must be subject to due consideration of privacy issues, including the completion of one or more privacy impact assessments. The privacy impact assessment will include:
Consideration of how personal data will be processed and for what purposes Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s) Assessment of the risks to individuals in processing the personal data What controls are necessary to address the identified risks and demonstrate compliance with legislation
Use of techniques such as data minimization and pseudonymisation should be considered where applicable and appropriate. 2.2.5
Selection of Controls
Based on the risks that are identified by the risk and privacy impact assessments that require treatment, appropriate controls will be selected by the project manager. These controls may be in the form of policies, procedures, software or other suitable ways of addressing the risks effectively. The controls should be documented and all members of the project team made aware of them and the reasons why they have been put in place. Any more detailed training in the controls should be carried out prior to the project getting underway. 2.3
Design and Execution
The controls that have been put in place as part of the planning stage should ensure that the information security risks are managed and the objectives achieved. It may be necessary to update any members of the project team that join after the initial training was delivered. Any third parties involved in the project should also be made aware of the policies and controls that are in place.
Version 1
Page 10 of 13
[Insert date]
Information Security Guidelines for Project Management [Insert Classification]
Risk management should be a standard item on the agenda of each project meeting and any changes to risks, including the addition of new ones, should be made as soon as they are identified. Any required changes to controls should also be put in place as soon as possible to ensure the continued security of the project’s sensitive information. Any information security breaches within the project should be notified to the project manager as soon as possible. The project manager will then decide what action to take based on the incident’s severity, including the escalation of the incident to the project sponsor. 2.4
Transition
The transition of a project into live running is an event that can be complicated and stressful and it is important that enough thought is given by the project team to how information security will be maintained during this period of intensive change. The project must ensure that sufficient testing has been carried out to check that the security controls defined as deliverables of the project work as intended and that adequate training in them has been delivered to the people involved in maintaining them. If the project is to be implemented in phases, the project manager must ensure that adequate information security controls are in place during each phase and that security is not compromised in the interests of convenience or speed. Formal signoff that the information security aspects of the project have been successfully delivered should be obtained as part of the transition into ongoing support. The project manager should also consider whether it would be appropriate to engage a suitable third party to conduct an audit of the security aspects of the delivered project. 2.5
Project Closure
Once the project has been implemented and signed off, a project review meeting will be held to discuss the lessons learned during the project. This is an excellent opportunity to raise any information security-related issues that occurred and to define the best way of preventing them in future projects. Particular areas for discussion should be:
Were the information security objectives complete and accurate? Were all of the relevant risks identified? How successfully were security controls applied? Were there any security breaches during the project and how did they arise? Was the balance between security and convenience set about right?
Version 1
Page 11 of 13
[Insert date]
Information Security Guidelines for Project Management [Insert Classification]
The lessons learned should be documented and any recommended procedural changes incorporated into the project management method for future projects.
Version 1
Page 12 of 13
[Insert date]
Information Security Guidelines for Project Management [Insert Classification]
3 Conclusion These guidelines set out the basics of how information security should be considered as part of the overall framework of project management within [Organization Name]. This involves the creation almost of a “mini-ISMS� within the project to ensure that risks are identified and managed through the use of appropriate controls. The scope and importance of projects will obviously vary and the degree of control adopted should remain appropriate to the level of risk involved. Remember however that a small project can still require strong information security if the subject of the project is very sensitive. Only by applying best practice can we ensure that the security of our information remains protected and the project team can focus on delivering the benefits set out in the business case.
Version 1
Page 13 of 13
[Insert date]