Information Security in Project Management
Version: V1
Ratified by: Finance Investment Committee
Date ratified: 02/04/2025
Job Title of author: Senior Information Governance Officer
Reviewed by Committee or Expert Group [expert group, virtual panel or sub-committee]
Related procedural documents
IGPOL90 - Data Protection (Privacy) Impact Assessment Policy and Procedure
ITPOL15 - Software Development Policy
Review date: 02/04/2028
It is the responsibility of users to ensure that you are using the most up to date document template – ie obtained via the intranet.
In developing/reviewing this procedure Provide Community has had regard to the principles of the NHS Constitution.
Version Control Sheet Version
1. Introduction
This document outlines measures and actions to ensure information security as a key aspect of project management. By integrating information security throughout the project lifecycle, regardless of the methodology used, and implementing a robust approval process, we aim to mitigate associated risks. The SOP aligns with the Data Security & Protection Toolkit (DSPT) requirements and industry-standard best practices, including ISO 27001:2022 standards.
2. Purpose
Information security should be integrated into all types of project management to ensure associated risks are addressed effectively. This SOP applies to all projects regardless of complexity, size, duration, or methodology (e.g., PRINCE2, Agile, Scrum, hybrid approaches) within Provide CIC and its Group Companies, including in-house, outsourced, and open-source contributions.
3. Definitions
Information Security: Measures and processes designed to protect digital and non-digital information from unauthorised access, disclosure, disruption, modification, or destruction. Data Protection Impact Assessment (DPIA): A process to help identify and minimise data protection risks in projects involving the processing of personal or sensitive data.
ISO 27001: An internationally recognised standard for information security management systems (ISMS).
Hybrid Methodology: A project management approach that combines elements of traditional and Agile methodologies to suit the project's needs.
4. Compliance Requirements
The following actions should be followed in relation to the management of any project, regardless of the methodology employed:
a) Risk Assessment:
• Assess and treat information security risks iteratively throughout the project lifecycle. Engage ICT and IG departments to identify and address security risks dynamically.
• For Agile or hybrid projects, integrate risk assessments into sprint planning or iterative reviews.
b) Security Requirements:
• Document security requirements at the outset but allow updates as the project evolves. Use lightweight documentation, such as user stories or backlog items, for hybrid or Agile approaches.
c) DPIA Execution:
• Conduct a DPIA for projects that involve the processing of personal or sensitive data, or where data protection risks are present.
• For iterative methodologies, update DPIAs as new data-related risks emerge during the project lifecycle.
d) Communication and Collaboration:
• Address security requirements in project communication plans. For Agile or hybrid approaches, incorporate security discussions into regular ceremonies, such as sprint reviews or retrospectives.
e) Ongoing Monitoring:
• Continuously evaluate and test the effectiveness of risk mitigation measures. Regular reviews should align with project sprints, tranches, or milestone reviews.
f) Governance Flexibility:
• Governance structures, such as steering committees, can be adapted to hybrid methodologies. Replace formal meetings with iterative feedback loops or Agile ceremonies as appropriate.
g) Role Adaptability:
• Define responsibilities for information security but allow flexible role assignments. In Agile or hybrid approaches, responsibilities can be shared among team members or assigned dynamically.
The appropriateness of the information security considerations and activities should be followed up at predefined stages by suitable persons or governance bodies, such as the project steering committee.
Responsibilities and authorities for information security relevant to the project should be defined and allocated to specified roles. Information security requirements for products or services to be delivered by the project should be determined using various methods, including deriving compliance requirements from information security policy, topic-specific policies and regulations
5. Additional actions
When determining information security requirements, consider:
a) The nature of the information involved and potential business impacts from inadequate security.
b) Protection needs for confidentiality, integrity, and availability of information.
c) The required level of confidence or assurance for authentication and authorisation processes.
d) How access provisioning, logging, and monitoring will align with iterative project delivery.
e) Compliance with legal, regulatory, and contractual requirements within the organisation’s operating environment.
f) The inclusion of information security in agreements and contracts with third parties.
6. Ongoing information security compliance
Maintaining information security is an ongoing process. For iterative or hybrid methodologies, integrate regular security reviews into project ceremonies, such as sprint retrospectives or milestone assessments. Ensure new risks are identified and addressed throughout the project lifecycle.
Appendix 1 – Project Management Phases
The following phases provide a flexible framework adaptable to both traditional and hybrid methodologies:
Initiation and Preparation
• Define Project Objectives: Establish the project’s need and strategic alignment.
• Appoint Key Roles: Assign roles dynamically or formally, depending on the methodology used.
• Develop Initial Plan: For Agile or hybrid approaches, create a roadmap with iterative cycles and an initial risk assessment.
Execution and Monitoring
• Iterative Delivery: Break projects into manageable iterations or tranches. Reassess risks and security requirements during each cycle.
• Risk Management: Conduct ongoing risk assessments aligned with project delivery phases or sprints.
• DPIA (If Applicable): Conduct or update DPIAs where the project involves personal or sensitive data, adapting to iterative cycles as necessary.
• Change Control: Implement a change control process with flexibility for iterative updates. Use backlog grooming sessions or change request logs to manage scope adjustments.
Governance and Oversight
• Establish Governance: Adapt governance structures to match the project methodology (e.g., use Agile sprint reviews or Kanban boards instead of traditional steering committees).
• Stakeholder Engagement: Regularly engage stakeholders through demos, reviews, or formal meetings based on the chosen approach.
Closure
• Final Assessment: Conduct a post-project security review to ensure all risks have been addressed.
• Ongoing Monitoring Plan: Create a plan for continuous monitoring and compliance post-deployment, integrating it into operational processes.
References
ISO/IEC27002-2022