On this page
- Quick Reference (60 Seconds)
- What the Standard Actually Requires
- Why Information Security in Project Management Matters
- Scope and Applicability
- Key Definitions and Terminology
- Relationship to Other Controls
- Implementation Roadmap (Week-by-Week)
- Detailed Implementation Guidance
- Tools, Technologies, and Solutions
- Policy and Procedure Templates
- Risk Assessment and Treatment
- Audit and Compliance Checklist
- Metrics and KPIs
- Common Pitfalls and How to Avoid Them
- Illustrative Scenarios
- Multi-Framework Mapping
- Regulatory and Industry Context
- Roles and Responsibilities (RACI)
- Documentation and Evidence Requirements
- Continuous Improvement
- FAQ
- References and Further Reading
Quick Reference (60 Seconds)
ISO 27001:2022 Annex A 5.8 requires information security to be addressed in project management, regardless of the type of project, ensuring that security is integrated into the project lifecycle from initiation through closure.
| Element | What You Need to Know |
|---|---|
| Standard Reference | ISO/IEC 27001:2022, Annex A, Control 5.8 |
| 27002 Guidance | ISO/IEC 27002:2022, Clause 5.8, Information security in project management |
| Objective | Ensure information security is an integral part of project management across all project types |
| Key Requirement | Security requirements in project initiation, security roles, risk assessment, security design, acceptance criteria, closure |
| Who It Applies To | All projects: IT, software development, infrastructure, business transformation, outsourcing, M&A, product launches |
| Audit Focus | Project security policy, security requirements in project plans, risk assessments, security reviews, acceptance criteria |
| Typical Failures | Security treated as afterthought, no security requirements in project charter, no security risk assessment, no security acceptance |
| Singahi's Role | Project security framework, security-by-design integration, project risk assessment, acceptance criteria, governance |
The Bottom Line: Every project introduces change, and every change introduces risk. If security is not baked into your project management methodology, you are building vulnerabilities into your organization one project at a time.
What the Standard Actually Requires
The ISO 27001:2022 Text
Annex A 5.8 states:
ISO 27001:2022 Annex A 5.8 asks organizations to build information security into project management.
What ISO 27002:2022 Adds
The implementation guidance requires:
- Information security requirements to be defined at project initiation
- A security risk assessment to be performed for each project
- Information security responsibilities to be assigned to project team members
- Security to be included in project governance and oversight
- Security reviews to be conducted at key project milestones
- Security acceptance criteria to be defined before project go-live
- Security documentation to be produced and maintained
- Security lessons learned to be captured at project closure
- Security considerations for third-party components and integrations
- Change management to address security implications
The Six Mandatory Components
| Component | Evidence Required | Common Failure |
|---|---|---|
| 1. Project security policy | Documented policy requiring security in all projects | No policy or policy not enforced |
| 2. Security requirements | Security requirements in project charter/plan | No security requirements documented |
| 3. Security risk assessment | Project-specific risk assessment | Generic risk assessment, not project-specific |
| 4. Security roles | Named security responsibility in project team | No one accountable for security in the project |
| 5. Security acceptance | Security acceptance criteria and sign-off | No security gate before go-live |
| 6. Security closure | Lessons learned and security handover | No security knowledge transfer at closure |
Why Information Security in Project Management Matters
The impact of Security as an Afterthought
| Statistic | Source | Impact |
|---|---|---|
| 70% of security vulnerabilities are introduced during development/design | NIST | Early design flaws are premium-tier to fix later |
| 45% of data breaches originate from system vulnerabilities | Verizon DBIR | Poorly designed systems are breach enablers |
| 30% of projects fail due to insufficient risk management | PMI | Security risk is a major contributor to project failure |
| ** average overhead** of a data breach in India (2024) | IBM impact of Data Breach Report | Indian organizations face significant financial impact |
| 60% of Indian SMEs do not conduct security reviews during project lifecycle | Singahi internal research | Systemic gap in Indian growing companies |
The Indian Context
India's digital transformation is accelerating. The National Informatics Centre (NIC) reports that Indian government and enterprise IT projects increased by 34% between 2022 and 2024. However, the Indian Computer Emergency Response Team (CERT-In) documented that 62% of reported vulnerabilities in 2023-2024 were in newly deployed systems. The root cause in 78% of these cases: security was not considered during the project lifecycle.
For Indian B2B tech companies serving global clients, project security is a competitive differentiator. A SaaS company from Bengaluru that can demonstrate secure project management practices wins enterprise contracts over competitors that cannot.
Scope and Applicability
What Projects Are Covered
Control A.5.8 applies to all projects, regardless of type, size, budget, or duration. This includes:
| Project Category | Examples | Security Focus |
|---|---|---|
| Software development | Web apps, mobile apps, APIs, microservices | Secure SDLC, code review, vulnerability scanning |
| Infrastructure | Cloud migration, server deployment, network redesign | Architecture security, hardening, segmentation |
| Business transformation | ERP implementation, CRM rollout, process automation | Data protection, access control, integration security |
| Outsourcing/offshoring | Development center setup, BPO transition, managed services | Third-party security, data residency, contractual controls |
| M&A and divestiture | Company acquisition, asset sale, merger integration | Data segregation, access revocation, due diligence |
| Product launch | New fintech product, healthtech platform, edtech solution | Regulatory compliance, customer data protection, API security |
| Research and innovation | AI/ML model development, blockchain pilot, IoT prototype | Ethics, data privacy, model security, supply chain |
| Internal IT | Helpdesk upgrade, laptop refresh, software rollout | Endpoint security, patch management, user training |
Exclusions (None)
There are no exclusions under A.5.8. Even "small" projects with a budget under or duration under two weeks must address information security. The standard explicitly states "regardless of the type of project."
Organizational Scope
| Entity Type | Applicability | Special Considerations |
|---|---|---|
| Startups and SMEs | All product development, infrastructure, and outsourcing projects | Lightweight but documented process; use templates |
| Growing companies (250-5000 employees) | All IT, business, and third-party projects | Formal PMO with security integration; risk-based approach |
| Large enterprises (5000+ employees) | All projects including M&A, global transformation, and innovation | Enterprise-scale governance; automated security gates |
| Government and PSUs | All e-governance, citizen service, and infrastructure projects | CERT-In compliance; additional security clearances |
| BFSI sector | All fintech, core banking, insurance, and payment projects | RBI, SEBI, IRDAI mandates; PCI DSS for card projects |
| Healthcare | Hospital management systems, telemedicine, health data platforms | DPDP Act 2023 sensitive personal data; NHS-equivalent standards |
| IT/ITES and SaaS | All client deliverables, internal platforms, and product R&D | Client security requirements; SOC 2 alignment from project start |
Key Definitions and Terminology
| Term | Definition | Source/Context |
|---|---|---|
| Project | A temporary endeavor undertaken to create a unique product, service, or result | PMI PMBOK, adapted for ISO 27001 |
| Security-by-Design (SbD) | An approach to security where security requirements are defined and built into a system from the outset | ISO 27002:2022, Clause 8.1 |
| Security Risk Assessment (Project-level) | The process of identifying, analyzing, and evaluating security risks specific to a project | ISO 27005, adapted for project context |
| Security Acceptance Criteria | The predefined security conditions that must be met before a project deliverable is accepted | ISO 27002:2022, Clause 5.8 |
| Security Gate | A formal review point in the project lifecycle where security requirements are verified before proceeding | Internal project governance |
| Secure Development Lifecycle (SDLC) | A software development process that embeds security practices at every phase | Microsoft SDL, OWASP SAMM |
| Project Security Officer (PSO) | The individual assigned responsibility for information security within a project team | Role defined per A.5.8 |
| Security Requirements Traceability Matrix (SRTM) | A document that maps security requirements to design, implementation, and test artifacts | Best practice in secure engineering |
| Change Impact Assessment | Evaluation of the security implications of a proposed change to project scope, design, or implementation | ITIL, ISO 27002 Clause 8.1 |
| Security Handover | The formal transfer of security knowledge, documentation, and responsibilities from the project team to operations | Project closure practice |
| DevSecOps | The integration of security practices into the DevOps methodology to enable continuous secure delivery | Industry standard term |
| Threat Modeling | A structured approach to identifying and evaluating threats and vulnerabilities in a system | STRIDE, PASTA, OWASP methodologies |
| Business Impact Analysis (BIA) | The process of identifying critical business functions and quantifying the impact of their disruption | ISO 22317, adapted for project security |
Relationship to Other Controls
Control A.5.8 does not operate in isolation. It intersects with multiple other Annex A controls across all four domains of the ISO 27001:2022 structure.
Organizational Controls (5.x)
| Control | Relationship | How They Work Together |
|---|---|---|
| A.5.1 Policies for information security | Parent policy | The project security policy is a topic-specific policy under the overall information security policy |
| A.5.4 Management responsibilities | Governance | Senior management provides resources and authority for project security |
| A.5.5 Information security roles and responsibilities | Role definition | Project security roles (PSO) are defined and assigned under the broader role framework |
| A.5.9 Information security in supplier relationships | Third-party projects | Projects involving suppliers must align with supplier security requirements |
| A.5.10 Information security acceptance | Project closure | Security acceptance criteria in A.5.8 are evaluated using the acceptance process in A.5.10 |
| A.5.37 Documented operating procedures | Operations handover | Project deliverables must have documented operating procedures before handover |
People Controls (6.x)
| Control | Relationship | How They Work Together |
|---|---|---|
| A.6.1 Screening | Project team vetting | Personnel assigned to sensitive projects may require additional screening |
| A.6.3 Information security awareness, education and training | Project team training | Project teams require training on project-specific security requirements |
| A.6.5 Disciplinary process | Enforcement | Security violations during projects are addressed through the disciplinary process |
Physical Controls (7.x)
| Control | Relationship | How They Work Together |
|---|---|---|
| A.7.1 Physical security perimeters | Project workspaces | Development and testing environments for projects require physical security |
| A.7.4 Physical security monitoring | Project environment monitoring | Project-specific labs and war rooms are physically monitored |
Technological Controls (8.x)
| Control | Relationship | How They Work Together |
|---|---|---|
| A.8.1 User endpoint devices | Project endpoints | Developer workstations and test devices used in projects are secured |
| A.8.5 Secure authentication | Project systems access | Systems built in projects implement secure authentication per A.8.5 |
| A.8.8 Management of technical vulnerabilities | Vulnerability management | Projects must address vulnerabilities before go-live; scanning is part of the security gate |
| A.8.9 Configuration management | System hardening | Project deliverables are configured securely before deployment |
| A.8.14 Information transfer | Data movement in projects | Projects must control how information is transferred between environments |
| A.8.15 Access control | Access design | Projects must implement appropriate access controls in deliverables |
| A.8.24 Use of cryptography | Encryption in projects | Projects must apply cryptographic controls where required by design |
| A.8.25 Secure development lifecycle | Software projects | A.5.8 governs the project management aspect; A.8.25 governs the technical development practices |
| A.8.28 Secure coding | Code security | Projects producing code must enforce secure coding standards |
| A.8.29 Security testing in development and acceptance | Testing | Projects must include security testing before acceptance |
| A.8.31 Separation of development, test and production environments | Environment separation | Projects must maintain separation between environments |
The A.5.8 ↔ A.8.25 ↔ A.8.29 Triad
For software development projects, three controls form a critical triad:
- A.5.8: Ensures security is managed at the project level (planning, governance, resources, risk)
- A.8.25: Ensures security is embedded in the development lifecycle (requirements, design, code, test)
- A.8.29: Ensures security testing is performed before acceptance
Auditors will verify that all three are present and linked. A project with A.5.8 but without A.8.25 or A.8.29 will fail a software development audit.
Implementation Roadmap (Week-by-Week)
Standard Implementation: 8 Weeks
The following roadmap is designed for growing companies (250-5000 employees) with a moderate project volume (10-30 concurrent projects). Adjust timeline for smaller or larger organizations.
| Week | Phase | Activities | Deliverables | Owner |
|---|---|---|---|---|
| Week 1 | Discovery & Policy | Inventory all active projects; review existing PM methodology; draft Project Security Policy; identify pilot project | Project inventory, policy draft, pilot selection | CISO / PMO Lead |
| Week 2 | Framework Design | Define security phases for project lifecycle; design security gate criteria; create risk assessment template; define PSO role | Project security framework, gate criteria, risk template, role description | Security Architect / PMO |
| Week 3 | Template Development | Create security requirements template; build SRTM template; develop security review checklist; design acceptance criteria template | Template pack (4 templates) | Security Analyst / PMO |
| Week 4 | Pilot Execution | Run pilot project with new framework; conduct security risk assessment; hold security gate review; document lessons learned | Pilot project security pack, lessons learned log | Pilot Project Manager + PSO |
| Week 5 | Training & Rollout | Train all project managers on new framework; train security team on PSO duties; communicate policy to all stakeholders | Training records, attendance sheets, communication log | HR / Security Awareness / PMO |
| Week 6 | Full Deployment | Mandate new framework for all new projects; apply retroactively to active projects at next milestone; integrate into project management tool | All new projects using framework, tool configuration | PMO / IT |
| Week 7 | Governance & Monitoring | Establish project security dashboard; define KPIs; create monthly security review meeting; integrate with change management | Dashboard, KPI baseline, meeting cadence | CISO / PMO |
| Week 8 | Audit & Refinement | Conduct internal audit of project security implementation; refine templates based on feedback; document continuous improvement plan | Internal audit report, refined templates, improvement plan | Internal Auditor / CISO |
Accelerated Implementation: 4 Weeks
For smaller organizations or those with urgent certification deadlines:
| Week | Focus | Key Actions |
|---|---|---|
| Week 1 | Policy + Templates | Draft policy; create 4 essential templates; select 2 pilot projects |
| Week 2 | Pilot + Training | Run both pilots; train all PMs; refine templates based on pilot feedback |
| Week 3 | Full Rollout | Deploy to all new projects; configure PM tool; establish governance |
| Week 4 | Audit + Harden | Internal audit; fix gaps; finalize documentation |
Enterprise Implementation: 12 Weeks
For large organizations with complex PMO structures, multiple methodologies (Waterfall, Agile, SAFe), and global project teams:
| Phase | Weeks | Focus |
|---|---|---|
| Phase 1: Foundation | 1-3 | Multi-methodology assessment; enterprise policy; governance framework; tool selection |
| Phase 2: Design | 4-6 | Methodology-specific security playbooks (Waterfall, Agile, Hybrid); automated security gates; integration with enterprise PMO tools (Jira, ServiceNow, Azure DevOps) |
| Phase 3: Pilot | 7-8 | Run pilots across 3 methodologies; refine playbooks; train regional PMOs |
| Phase 4: Scale | 9-10 | Global rollout; localize for regional regulations (India DPDP, EU GDPR, US state laws); establish regional security champions |
| Phase 5: Optimize | 11-12 | Automated metrics; AI-assisted risk scoring; continuous improvement; external pre-certification audit |
Detailed Implementation Guidance
Phase 1: Project Initiation, Embedding Security from the Start
The initiation phase is where security requirements are defined, resources are allocated, and the security risk baseline is established. This is the most critical phase. Security decisions made here have 100x impact compared to decisions made later.
Step 1: Security Classification of the Project
Every project must be classified by security criticality:
| Classification | Criteria | Security Rigour | Examples |
|---|---|---|---|
| Critical | Handles sensitive personal data; impacts critical infrastructure; regulatory mandated; high financial risk | Full threat modeling; dedicated PSO; mandatory security architecture review; independent security audit | Core banking system; payment gateway; health records platform; government e-governance |
| High | Handles confidential business data; significant customer impact; moderate financial risk | Threat modeling; named PSO; security gate at each phase; security testing | CRM implementation; customer portal; HRMS; cloud migration |
| Medium | Handles internal data; limited customer impact; low financial risk | Security requirements checklist; security review at design and pre-go-live; standard testing | Internal dashboard; marketing website; laptop refresh program |
| Low | No sensitive data; minimal security impact; internal convenience only | Basic security checklist; standard hardening; no dedicated PSO unless combined with other projects | Office Wi-Fi upgrade; printer replacement; signage update |
Step 2: Security Requirements Elicitation
For each project, security requirements must be elicited from:
- Business requirements: What data will the project handle? What regulations apply? What is the business impact of a breach?
- Threat landscape: What threats are relevant to this project type? (Use industry threat intelligence, CERT-In advisories, OWASP Top 10)
- Regulatory requirements: DPDP Act 2023, RBI Master Direction, SEBI CIR/MIRSD/2/2011, IRDAI Guidelines, PCI DSS, GDPR (if EU customers)
- Customer contractual requirements: Security clauses in customer contracts, SOC 2 commitments, ISO 27001 certification scope
- Internal policy requirements: Information security policy, data classification policy, acceptable use policy, password policy
Document all requirements in the Security Requirements Specification (SRS) document.
Step 3: Project Security Risk Assessment
Conduct a project-specific risk assessment covering:
| Risk Category | Assessment Questions | Typical Controls |
|---|---|---|
| Data risk | What data types? What classification? Volume? Flows? | Encryption, DLP, access controls, data residency |
| Third-party risk | What vendors, libraries, SaaS, cloud services? | Vendor assessment, contractual clauses, SOC 2 verification |
| Technical risk | New technologies? Untested architectures? Legacy integrations? | Architecture review, proof of concept, fallback plans |
| Operational risk | New processes? Staff changes? Training needs? | Procedure documentation, training, change management |
| Compliance risk | New regulatory exposure? Audit requirements? | Legal review, compliance checklist, evidence planning |
| Physical risk | New locations? Equipment? Remote access? | Physical security, asset management, endpoint protection |
| Human risk | New team members? Contractors? Offshore? | Background checks, NDAs, access provisioning, awareness training |
Risk scoring methodology: Use a 5x5 matrix (Likelihood x Impact) with explicit thresholds. For example:
- Risk Score 15-25 (Red): Must be treated before project proceeds; escalate to CISO
- Risk Score 8-14 (Amber): Must be treated before go-live; monitor during project
- Risk Score 1-7 (Green): Accept with monitoring; document in risk register
Step 4: Assign Project Security Officer (PSO)
Every project rated Medium or above must have a named PSO. The PSO is accountable for:
- Ensuring security requirements are defined and tracked
- Conducting security reviews at gates
- Reporting security risks to the project steering committee
- Coordinating with the enterprise security team
- Ensuring security acceptance criteria are met
The PSO does not need to be a full-time security professional but must have completed security training and have access to the security team for guidance.
Phase 2: Project Planning, Security in the Plan
Step 5: Security Work Breakdown Structure
Security activities must be explicit in the project plan with allocated resources, timelines, and budgets. Example WBS for a Critical project:
| WBS ID | Security Activity | Effort (days) | Owner | Notes |
|---|---|---|---|---|
| 1.4.1 | Threat modeling | 5 | Security Architect | |
| 1.4.2 | Security architecture design | 8 | Security Architect | |
| 1.4.3 | Security requirements review | 3 | PSO + PM | |
| 1.4.4 | Secure coding training for dev team | 2 | Security Trainer | |
| 1.4.5 | Static code analysis (SAST) setup | 3 | DevSecOps Engineer | |
| 1.4.6 | Dynamic testing (DAST) setup | 3 | DevSecOps Engineer | |
| 1.4.7 | Penetration testing | 5 | External Penetration Tester | |
| 1.4.8 | Security documentation | 4 | Technical Writer + PSO | |
| 1.4.9 | Security acceptance review | 2 | CISO + PM | |
| Total | 35 | **** |
Rule of thumb: Security should constitute 8-15% of total project effort for Critical projects, 5-10% for High, 3-5% for Medium, and 1-2% for Low.
Step 6: Security Gate Planning
Define the security gates for the project methodology:
Waterfall/Traditional Projects:
- Gate 1: Requirements, Security requirements approved
- Gate 2: Design, Security architecture and threat model approved
- Gate 3: Build, Security coding standards verified; SAST clean
- Gate 4: Test, DAST clean; penetration test passed; no Critical/High vulnerabilities open
- Gate 5: Deployment, Security acceptance criteria met; ops team trained; documentation complete
- Gate 6: Closure, Lessons learned captured; security handover complete
Agile/Scrum Projects:
- Sprint 0: Security requirements and threat model defined
- Every Sprint: Security review in sprint retrospective; SAST/DAST in CI/CD
- Release Planning: Security risk review for release scope
- Pre-Release: Security acceptance criteria verification; penetration test if major release
- Post-Release: Security monitoring validation; incident response readiness check
Step 7: Security Budget Allocation
Security overhead must be explicitly budgeted. Typical budget items:
- Security tooling licenses (SAST, DAST, SCA, secrets scanning)
- External security testing (penetration testing, red team)
- Security training for project team
- Security consultant or architect time
- Compliance validation (audit, legal review)
- Security documentation and knowledge management
Phase 3: Design, Security Architecture and Threat Modeling
Step 8: Threat Modeling
For all Critical and High projects, and for any project introducing new architecture or technology, formal threat modeling is mandatory.
| Methodology | Best For | Effort | Output |
|---|---|---|---|
| STRIDE | General software systems | Medium | Threat list with Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege |
| PASTA | Risk-centric enterprises | High | Risk-scored threats aligned with business objectives |
| Attack Trees | Critical infrastructure | High | Visual attack paths with probabilities |
| OWASP Threat Dragon | Web applications | Low-Medium | Lightweight threat model diagrams |
| LINDDUN | Privacy-focused systems | Medium | Privacy threat analysis (Linkability, Identifiability, Non-repudiation, Detectability, Disclosure, Unawareness, Non-compliance) |
Example STRIDE Threat Model for an Indian Fintech Mobile App:
| Threat ID | STRIDE Category | Threat Description | Mitigation | Status |
|---|---|---|---|---|
| T-001 | Spoofing | Attacker impersonates user via stolen OTP | Implement rate limiting (5 attempts); device binding; biometric fallback | Mitigated |
| T-002 | Tampering | Attacker modifies transaction amount in transit | TLS 1.3; request signing; transaction integrity checks | Mitigated |
| T-003 | Repudiation | User denies initiating a transaction | Digital transaction logs with non-repudiation; SMS and email confirmation | Mitigated |
| T-004 | Information Disclosure | Sensitive PII leaked in app logs | Log sanitization; no PII in logs; encrypted local storage | Mitigated |
| T-005 | Denial of Service | API flooded with requests | Rate limiting (100 req/min per user); WAF; DDoS protection via Cloudflare | Mitigated |
| T-006 | Elevation of Privilege | Regular user gains admin access | RBAC with principle of least privilege; API authorization checks | Mitigated |
Step 9: Security Architecture Review
The security architecture must be reviewed against:
- Defence in depth: Multiple layers of security controls
- Least privilege: Minimum access required for each component
- Fail secure: System fails to a secure state
- Separation of duties: No single individual has complete control
- Auditability: All security-relevant actions are logged
Phase 4: Build/Development, Secure Implementation
Step 10: Secure Coding and Verification
For software projects:
- Enforce secure coding standards (OWASP ASVS Level 2 for web apps)
- Run SAST on every commit (SonarQube, Checkmarx, Semgrep)
- Run SCA (Software Composition Analysis) to detect vulnerable dependencies (Snyk, OWASP Dependency-Check)
- Run secrets scanning (GitLeaks, TruffleHog) to prevent credential leakage
- Conduct peer code reviews with security focus
- Maintain a security bug bar: No Critical or High vulnerabilities in production code
Step 11: Environment Security
- Maintain strict separation between development, testing, staging, and production environments (A.8.31)
- Production data must never be used in non-production environments without anonymization
- Development environments must have equivalent security controls to production where feasible
- Access to source code repositories must be controlled and logged
Phase 5: Testing, Security Validation
Step 12: Security Testing Pyramid
| Layer | Technique | Timing | Owner | overhead |
|---|---|---|---|---|
| Unit Security Tests | Security-focused unit tests (input validation, auth checks) | Every build | Developer | Low |
| Integration Security Tests | API security tests, auth flow tests, session tests | Every integration | QA + Security | Low |
| SAST | Static code analysis for vulnerabilities | Every commit/PR | DevSecOps (automated) | Low |
| DAST | Dynamic scanning of running application | Weekly/Nightly | DevSecOps (automated) | Medium |
| IAST | Interactive application security testing | Continuous in test | DevSecOps (automated) | Medium |
| Penetration Testing | Manual expert testing | Pre-release for Critical/High; annually for all | External vendor | High (-) |
| Red Team Exercise | Adversarial simulation | Annually for Critical systems | External specialist | Very High (+) |
Step 13: Security Acceptance Criteria
Before any project goes live, the following criteria must be verified and signed off:
| Criterion | Verification Method | Evidence | Sign-off By |
|---|---|---|---|
| All Critical and High vulnerabilities remediated | Vulnerability scan report | Clean scan report | Security Architect |
| Threat model updated and reviewed | Threat model document | Approved threat model | PSO |
| Security architecture implemented as designed | Architecture review | Review meeting minutes | Security Architect |
| Security requirements traced to implementation | SRTM | 100% traceability | PSO |
| Security tests passed | Test report | Test execution report | QA Lead |
| Penetration test passed (if required) | Pen test report | Clean report or accepted risk | CISO |
| Security documentation complete | Documentation review | Approved docs | Technical Writer + PSO |
| Operations team trained | Training records | Attendance + assessment | Operations Manager |
| Incident response plan updated | IR plan review | Updated IR plan | Security Operations |
| Legal/compliance review passed | Compliance checklist | Signed checklist | Compliance Officer |
Phase 6: Deployment, Secure Go-Live
Step 14: Deployment Security Checklist
- Production environment hardened per security baseline
- All default passwords changed
- Unnecessary services disabled
- Firewall rules reviewed and minimized
- Logging and monitoring configured and verified
- Backup and recovery tested
- Rollback plan documented and tested
- Communication plan for go-live (including security monitoring)
- Business continuity verification
Step 15: Go-Live Security Gate
The final security gate before go-live must include:
- Review of all security evidence from the project
- Confirmation that all acceptance criteria are met
- Verification that no new risks have emerged during testing
- Sign-off from PSO, CISO, and Project Sponsor
- Formal authorization to proceed documented
Phase 7: Closure, Knowledge Transfer and Lessons Learned
Step 16: Security Handover to Operations
The project team must transfer to operations:
- All security documentation (architecture, configurations, procedures)
- Security monitoring rules and alerts
- Incident response playbooks for the new system
- Known risks and residual risk acceptance
- Security training materials for end users and administrators
- Contact information for security escalations
Step 17: Lessons Learned
Capture security-specific lessons learned:
- What security risks were underestimated?
- What security controls were more effective than expected?
- What security tools or processes caused delays?
- What would be done differently next time?
Feed these into the organization's security knowledge base and update project security templates accordingly.
Tools, Technologies, and Solutions
Project Management Tools with Security Integration
| Tool | Type | Security Integration | licensing Range | Best For |
|---|---|---|---|---|
| ServiceNow ITBM | Enterprise PMO | Integrated GRC; security risk modules; automated security gates | Enterprise licensing (custom) | Large enterprises; ITIL shops |
Security-Specific Development Tools
| Tool Category | Tools | Purpose | licensing Range |
|---|---|---|---|
| SAST | SonarQube, Checkmarx, Semgrep, Fortify, Veracode | Static code analysis | Subscription |
| DAST | OWASP ZAP, Burp Suite Enterprise, Invicti, Acunetix | Dynamic vulnerability scanning | Subscription |
| SCA | Snyk, Mend (formerly WhiteSource), OWASP Dependency-Check, Black Duck | Dependency vulnerability scanning | Subscription |
| Secrets Scanning | GitLeaks, TruffleHog, GitGuardian, SpectralOps | Detect leaked credentials | Subscription |
| IAST | Contrast Security, Seeker, Hdiv | Runtime security testing | Subscription |
| Container Security | Aqua Security, Twistlock (Prisma Cloud), Snyk Container, Trivy | Image vulnerability scanning | Subscription |
| Threat Modeling | Microsoft Threat Modeling Tool, OWASP Threat Dragon, IriusRisk | Threat model creation | Subscription |
| Penetration Testing | Burp Suite Professional, Cobalt.io, Bishop Fox, Astra Security | Manual security testing | -/engagement |
| GRC Platforms | Vanta, Drata, Secureframe, Sprinto, Scrut | ISO 27001 project compliance tracking | Subscription |
Indian Market Considerations
| Consideration | Guidance |
|---|---|
| Data residency | Ensure project security tools store data in India or comply with DPDP Act 2023 data localization requirements |
| licensing | Indian SaaS vendors (Sprinto, Scrut, Astra) often licensing 40-60% lower than US competitors while offering India-specific compliance |
| Support | Vendors with India-based support teams (Microsoft India, Atlassian partners, local GRC vendors) provide faster resolution |
| CERT-In reporting | Tools should support log formats and reporting structures compatible with CERT-In incident reporting requirements |
| Rupee billing | Prefer vendors billing in INR to avoid forex volatility and GST compliance issues |
Policy and Procedure Templates
Project Security Policy (Template Outline)
1. Purpose and Scope
1.1 Purpose: Define requirements for integrating information security into all projects
1.2 Scope: All projects regardless of type, size, or duration
1.3 Applicability: All employees, contractors, and third parties involved in projects
2. Roles and Responsibilities
2.1 Project Sponsor: Accountable for project security budget and outcomes
2.2 Project Manager: Responsible for ensuring security activities are planned and executed
2.3 Project Security Officer (PSO): Responsible for security requirements, reviews, and acceptance
2.4 CISO: Accountable for enterprise project security framework and standards
2.5 Security Architect: Responsible for security architecture and threat modeling
2.6 Development Team: Responsible for secure implementation and testing
3. Project Security Classification
3.1 Classification criteria and methodology
3.2 Classification authority and review process
4. Security Requirements
4.1 Mandatory security requirements for each classification level
4.2 Regulatory requirements mapping
4.3 Customer contractual requirements
5. Security Risk Assessment
5.1 Timing: Must be completed before project approval
5.2 Methodology: 5x5 risk matrix
5.3 Review triggers: Scope change, technology change, threat landscape change
6. Security Gates
6.1 Gate definitions for Waterfall, Agile, and Hybrid methodologies
6.2 Gate criteria and evidence requirements
6.3 Escalation process for failed gates
7. Security Testing and Acceptance
7.1 Testing requirements by classification
7.2 Acceptance criteria and sign-off process
7.3 Exception handling and risk acceptance
8. Security Documentation and Handover
8.1 Required documentation by classification
8.2 Handover process to operations
8.3 Knowledge retention requirements
9. Training and Awareness
9.1 Project team security training requirements
9.2 PSO certification requirements
9.3 Annual refresher training
10. Compliance and Audit
10.1 Internal audit requirements
10.2 Evidence retention
10.3 Non-conformance handling
11. Policy Review
11.1 Annual review cycle
11.2 Trigger-based review (incident, regulation change, standard update)
Project Security Procedure (Template Outline)
Procedure: PRJ-SEC-001 Project Security Integration
1. Initiation Phase
Step 1: Receive project request
Step 2: Classify project security criticality (Critical/High/Medium/Low)
Step 3: Assign Project Security Officer (PSO)
Step 4: Conduct project security risk assessment
Step 5: Define security requirements and document in SRS
Step 6: Include security activities in project plan and budget
Step 7: Obtain security approval for project charter
2. Planning Phase
Step 8: Create Security Requirements Traceability Matrix (SRTM)
Step 9: Define security gates and criteria
Step 10: Plan security testing (SAST, DAST, Pen Test, etc.)
Step 11: Schedule security training for project team
Step 12: Plan security documentation deliverables
3. Design Phase
Step 13: Conduct threat modeling (Critical/High projects)
Step 14: Develop security architecture
Step 15: Review security architecture against enterprise standards
Step 16: Update SRTM with design decisions
Step 17: Conduct Security Gate 2 (Design Review)
4. Build/Development Phase
Step 18: Enforce secure coding standards
Step 19: Execute SAST and SCA on every commit/PR
Step 20: Execute secrets scanning on every commit
Step 21: Conduct security-focused code reviews
Step 22: Maintain security defect tracking
Step 23: Conduct Security Gate 3 (Build Review)
5. Testing Phase
Step 24: Execute DAST/IAST on test environment
Step 25: Conduct security integration testing
Step 26: Execute penetration testing (if required)
Step 27: Verify all Critical/High vulnerabilities remediated
Step 28: Update SRTM with test results
Step 29: Conduct Security Gate 4 (Test Review)
6. Deployment Phase
Step 30: Execute deployment security checklist
Step 31: Verify production environment hardening
Step 32: Verify logging and monitoring
Step 33: Verify backup and recovery
Step 34: Conduct Security Gate 5 (Go-Live Review)
Step 35: Obtain formal security sign-off
7. Closure Phase
Step 36: Complete security documentation
Step 37: Conduct security handover to operations
Step 38: Update incident response plan
Step 39: Conduct lessons learned session
Step 40: Archive project security evidence
Step 41: Conduct Security Gate 6 (Closure Review)
Security Requirements Traceability Matrix (Template)
| Req ID | Security Requirement | Source | Design Element | Implementation | Test Case | Test Result | Status |
|---|---|---|---|---|---|---|---|
| SEC-001 | All user passwords must be hashed using bcrypt | Policy | Auth module | auth.py | TC-AUTH-01 | Pass | Closed |
| SEC-002 | API must enforce rate limiting (100 req/min) | Threat Model T-005 | API Gateway | nginx.conf | TC-API-03 | Pass | Closed |
| SEC-003 | PII must be encrypted at rest using AES-256 | DPDP Act | Database schema | Column encryption | TC-DB-01 | Pass | Closed |
| SEC-004 | Admin access requires MFA | Policy | IAM module | MFA integration | TC-IAM-02 | Pass | Closed |
| SEC-005 | All security events logged to SIEM | Policy | Logging module | logger.py | TC-LOG-01 | Pass | Closed |
Risk Assessment and Treatment
Project-Specific Risk Assessment Methodology
While ISO 27001 requires an organizational risk assessment (Clause 6.1), A.5.8 requires a project-specific risk assessment for each project. This is more granular and focuses on risks introduced by the project itself.
Step 1: Identify Project Security Risks
Use the following categories to identify risks systematically:
| Risk Category | Prompts | Example Risks |
|---|---|---|
| Requirements | Were security requirements incomplete? Were regulatory requirements missed? | Missing DPDP consent flow; no MFA requirement |
| Design | Does the architecture introduce new attack surfaces? Are single points of failure present? | Microservices without service mesh security; no API gateway |
| Implementation | Are developers trained in secure coding? Are code reviews mandatory? | SQL injection in login form; hardcoded API key |
| Testing | Is security testing adequate? Are all paths tested? | No authentication bypass testing; no DAST |
| Deployment | Is the production environment secure? Are configurations hardened? | Default admin credentials; open ports |
| Operations | Can operations team secure the system? Are monitoring and response ready? | No log parsing rules; missing runbook |
| Third-party | What supplier risks exist? Are SaaS/cloud services secure? | Unvetted payment gateway; vulnerable open-source library |
| Organizational | Does the project change the threat landscape? Does it require new skills? | New cloud platform team lacks expertise; increased APT targeting |
Step 2: Analyze Risks
For each identified risk, determine:
-
Likelihood (1-5): Probability the risk materializes
- 1 = Rare (<1% per year)
- 2 = Unlikely (1-10% per year)
- 3 = Possible (10-50% per year)
- 4 = Likely (50-90% per year)
- 5 = Almost Certain (>90% per year)
-
Impact (1-5): Severity if the risk materializes
- 1 = Negligible (no significant impact)
- 2 = Minor (localized, < overhead)
- 3 = Moderate (significant, - overhead, regulatory notice)
- 4 = Major (severe, - overhead, regulatory fine, reputational damage)
- 5 = Catastrophic (organization-threatening, > overhead, shutdown risk)
-
Risk Score = Likelihood × Impact
Step 3: Evaluate and Treat
| Risk Score | Level | Treatment Required |
|---|---|---|
| 15-25 | Critical | Must be treated before project proceeds; escalate to board if residual risk remains |
| 10-14 | High | Must be treated before go-live; no exceptions without CISO approval |
| 5-9 | Medium | Should be treated before go-live; can be accepted with monitoring |
| 1-4 | Low | Can be accepted; monitor during operations |
Treatment Options:
- Avoid: Change project scope, design, or approach to eliminate the risk
- Mitigate: Implement controls to reduce likelihood or impact
- Transfer: Purchase insurance or contractually shift liability to third party
- Accept: Document and monitor if treatment overhead exceeds risk impact
Sample Risk Register for an E-Commerce Platform Project
| Risk ID | Risk Description | Likelihood | Impact | Score | Level | Treatment | Owner | Target Date | Residual Risk |
|---|---|---|---|---|---|---|---|---|---|
| PRJ-001 | Payment gateway integration vulnerable to card skimming | 3 | 5 | 15 | Critical | Use PCI DSS Level 1 certified gateway; implement tokenization; independent pen test | Security Architect | Week 4 | Low (2) |
| PRJ-002 | Customer PII stored without encryption | 2 | 5 | 10 | High | Implement AES-256 encryption at rest; database TDE; field-level encryption for sensitive fields | Database Lead | Week 3 | Low (2) |
| PRJ-003 | Third-party logistics API introduces data leakage | 3 | 4 | 12 | High | DPA with logistics provider; API gateway with DLP; data minimization (only necessary fields) | PSO | Week 5 | Medium (6) |
| PRJ-004 | Dev team lacks secure coding skills for payment modules | 3 | 3 | 9 | Medium | Mandatory PCI DSS training; pair programming with security architect; code review by external expert | PM | Week 2 | Low (3) |
| PRJ-005 | Go-live during festive season increases breach impact | 2 | 4 | 8 | Medium | Delay go-live by 2 weeks; implement enhanced monitoring; on-call security team | PM | Week 6 | Low (2) |
| PRJ-006 | Legacy integration uses unencrypted FTP | 2 | 3 | 6 | Medium | Replace FTP with SFTP; implement VPN tunnel; phased migration plan | Integration Lead | Week 7 | Low (2) |
Audit and Compliance Checklist
Use this checklist during internal audits, certification audits, and customer audits. Each question should be answered with evidence.
Policy and Governance (5 questions)
| # | Audit Question | Evidence Required | Pass Criteria |
|---|---|---|---|
| 1 | Is there a documented policy requiring information security to be addressed in all projects? | Policy document, version controlled, approved by management | Policy exists, covers all project types, approved within last 12 months |
| 2 | Does the policy define security classification levels for projects? | Policy section or standalone classification document | At least 3 levels defined with clear criteria |
| 3 | Is there a formal Project Security Officer (PSO) role defined? | Role description, RACI, or job description | Role defined with named responsibilities; assigned to projects |
| 4 | Does senior management review project security performance? | Meeting minutes, dashboard reports, management review records | At least quarterly review; actions documented |
| 5 | Are project security requirements integrated into the organization's project management methodology? | PM methodology document, project templates, tool configuration | Security phases/gates visible in standard PM documents |
Risk Assessment (5 questions)
| # | Audit Question | Evidence Required | Pass Criteria |
|---|---|---|---|
| 6 | Is a security risk assessment conducted for every project before initiation? | Risk assessment records for sample of projects | 100% of sampled projects have project-specific risk assessment |
| 7 | Does the risk assessment use a defined methodology and scoring system? | Risk assessment procedure, methodology document | Methodology documented; assessors trained; consistent application |
| 8 | Are project risks treated and residual risk documented? | Risk register, treatment plans, risk acceptance forms | All Critical/High risks treated; residual risk documented and accepted |
| 9 | Are risk assessments revisited when project scope changes? | Change request records, updated risk assessments | Changes trigger risk reassessment |
| 10 | Are project security risks reported to the project steering committee? | Steering committee minutes, risk reports | Security risks visible in project governance |
Requirements and Design (5 questions)
| # | Audit Question | Evidence Required | Pass Criteria |
|---|---|---|---|
| 11 | Are security requirements documented for each project? | Security Requirements Specification (SRS) or equivalent | SRS exists for sampled projects; traced to business/regulatory needs |
| 12 | Is threat modeling performed for Critical and High projects? | Threat model documents, review records | 100% of Critical/High projects have threat models |
| 13 | Is a security architecture review conducted for projects with new technology? | Architecture review meeting minutes, design documents | Review conducted; findings addressed; approval documented |
| 14 | Are security requirements traced through design, implementation, and testing? | SRTM or equivalent traceability document | Traceability exists; coverage verified |
| 15 | Are regulatory requirements (DPDP, RBI, SEBI, etc.) identified and addressed in projects? | Compliance checklist, legal review records | Regulatory requirements mapped; evidence of implementation |
Implementation and Testing (5 questions)
| # | Audit Question | Evidence Required | Pass Criteria |
|---|---|---|---|
| 16 | Are secure coding standards enforced for software projects? | Coding standard document, code review records, scan results | Standards documented; enforced in sampled projects |
| 17 | Is SAST executed on software projects? | SAST scan reports, CI/CD pipeline configuration | SAST runs on every commit or at least daily; results reviewed |
| 18 | Is DAST or penetration testing performed before go-live? | DAST reports, pen test reports | Critical/High projects: pen test; Medium: DAST; all vulnerabilities remediated or accepted |
| 19 | Are security tests documented with pass/fail criteria? | Test plans, test execution reports, defect tracking | Tests documented; evidence of execution; no Critical/High defects in production |
| 20 | Are secrets (passwords, keys, tokens) never committed to source code? | Secrets scanning reports, git history audit | No secrets found in scans; scanning automated |
Acceptance and Deployment (5 questions)
| # | Audit Question | Evidence Required | Pass Criteria |
|---|---|---|---|
| 21 | Are security acceptance criteria defined before go-live? | Acceptance criteria document, checklists | Criteria defined in advance; approved by security |
| 22 | Is there a formal security sign-off before project go-live? | Sign-off form, email, or workflow record | Sign-off by PSO and/or CISO; no unauthorized bypass |
| 23 | Is a deployment security checklist used? | Checklist document, completed checklist evidence | Checklist exists; completed for sampled deployments |
| 24 | Are production environments hardened before receiving project deliverables? | Hardening standard, configuration audit | Baseline hardening applied; verified before go-live |
| 25 | Are rollback and recovery procedures tested? | Test records, runbook documentation | Rollback tested; RTO/RPO verified |
Closure and Handover (5 questions)
| # | Audit Question | Evidence Required | Pass Criteria |
|---|---|---|---|
| 26 | Is security documentation transferred to operations at project closure? | Handover document, sign-off from operations | Complete documentation package; operations sign-off |
| 27 | Are security lessons learned captured and shared? | Lessons learned log, knowledge base updates | Captured within 30 days of closure; fed into templates |
| 28 | Is the incident response plan updated for new systems? | IR plan version history, update records | IR plan updated before go-live; SOC briefed |
| 29 | Are project security records retained per the retention policy? | Archive records, retention policy | Retained for defined period; accessible for audit |
| 30 | Is there evidence of continuous improvement in project security practices? | Improvement log, updated templates, training updates | At least one improvement action per quarter |
Metrics and KPIs
Project Security KPIs
| KPI ID | KPI Name | Formula | Target | Measurement Frequency | Data Source |
|---|---|---|---|---|---|
| KPI-01 | Project Security Coverage | (Number of projects with security integration / Total number of projects) × 100 | 100% | Monthly | PMO registry |
| KPI-02 | Security Risk Assessment Completion | (Projects with completed risk assessment / Total projects initiated) × 100 | 100% | Per project | Risk register |
| KPI-03 | Critical Risk Treatment Rate | (Critical risks treated / Critical risks identified) × 100 | 100% | Per project | Risk register |
| KPI-04 | Security Gate Pass Rate | (Security gates passed on first attempt / Total security gates) × 100 | >90% | Per project | PM tool / Security review records |
| KPI-05 | Security Acceptance Sign-off Rate | (Projects with security sign-off before go-live / Total projects go-live) × 100 | 100% | Monthly | Sign-off records |
| KPI-06 | Security Testing Coverage | (Projects with required security testing / Total projects requiring testing) × 100 | 100% | Per project | Test records |
| KPI-07 | Vulnerability Remediation Rate | (Critical/High vulnerabilities remediated before go-live / Total Critical/High vulnerabilities found) × 100 | 100% | Per project | Vulnerability tracker |
| KPI-08 | Security Documentation Completeness | (Projects with complete security documentation / Total closed projects) × 100 | 100% | Monthly | Documentation review |
| KPI-09 | Security Lessons Learned Capture Rate | (Projects with captured lessons learned / Total closed projects) × 100 | 100% | Quarterly | Lessons learned database |
| KPI-10 | Security Training Completion | (Project team members completing security training / Total project team members) × 100 | 100% | Per project | Training records |
| KPI-11 | Average Security overhead per Project | Total security spend / Number of projects | Benchmark against budget | Quarterly | Finance / PMO |
| KPI-12 | Security-Related Project Delay | (Projects delayed due to security issues / Total projects) × 100 | <10% | Quarterly | PMO delay reports |
| KPI-13 | Post-Go-Live Security Incidents | Number of security incidents within 90 days of go-live per project | 0 for Critical/High | Monthly | Incident management system |
| KPI-14 | Threat Modeling Coverage | (Critical/High projects with threat modeling / Total Critical/High projects) × 100 | 100% | Quarterly | Threat model repository |
| KPI-15 | Security Requirements Traceability | (Security requirements traced to test / Total security requirements) × 100 | 100% | Per project | SRTM audit |
KPI Dashboard Layout
A sample monthly dashboard for the CISO and PMO:
PROJECT SECURITY DASHBOARD — June 2026
=======================================
Projects Active: 23
Projects Initiated (MTD): 5
Projects Closed (MTD): 4
COVERAGE METRICS
- Security Coverage: 100% (23/23) ✓
- Risk Assessment Completion: 100% (5/5) ✓
- Security Sign-off Rate: 100% (4/4) ✓
QUALITY METRICS
- Gate Pass Rate (First Attempt): 88% (22/25) ⚠️
- Vulnerability Remediation: 100% (12/12) ✓
- Documentation Completeness: 100% (4/4) ✓
EFFICIENCY METRICS
- Avg Security overhead per Project: - Security-Related Delays: 5% (1/20) ✓
- Post-Go-Live Incidents: 0 ✓
ACTIONS
1. Investigate Gate 2 (Design) failures in 3 projects — root cause: incomplete threat models
2. Update threat modeling template based on findings
3. Schedule refresher training for 2 project managers
Common Pitfalls and How to Avoid Them
The 15 Most Common Pitfalls
| # | Pitfall | Why It Happens | Impact | How to Avoid |
|---|---|---|---|---|
| 1 | Security treated as a "phase" rather than a thread | PMs schedule "security week" late in the project | Rework, delays, vulnerabilities | Integrate security into every phase; use SRTM |
| 2 | No Project Security Officer assigned | PM assumes security is "the security team's job" | No accountability; security gaps | Mandate PSO for Medium+ projects; define role clearly |
| 3 | Generic risk assessment reused | Organizations use the organizational risk assessment for all projects | Missed project-specific risks | Require project-specific risk assessment per A.5.8 |
| 4 | Security requirements missing from project charter | PM focuses on functional requirements only | Security not budgeted or scheduled | Include security requirements in charter template |
| 5 | No security gates in Agile/Scrum | Belief that Agile is too fast for gates | Security debt accumulates | Define sprint-level and release-level security gates |
| 6 | Threat modeling skipped due to time pressure | PM sees threat modeling as "optional overhead" | Architectural vulnerabilities | Mandate threat modeling for Critical/High; allocate time |
| 7 | Production data used in test environments | Convenience for "realistic testing" | Data breach in non-prod; DPDP violation | Use synthetic data; anonymization pipelines; data masking |
| 8 | Security testing performed only once before go-live | overhead-saving or schedule pressure | Last-minute vulnerabilities cause delay or risky go-live | Shift-left: SAST on every commit, DAST weekly |
| 9 | No security sign-off authority defined | Ambiguity about who can approve go-live | Unauthorized go-live with known risks | Define sign-off authority in policy (PSO for Medium; CISO for Critical/High) |
| 10 | Security documentation never handed over | Team disbands after go-live; docs are "not a priority" | Operations cannot secure the system | Make handover a gate; operations sign-off required |
| 11 | Third-party components not assessed | Assumption that "vendors are secure" | Supply chain vulnerability | Vendor security assessment for all third-party components |
| 12 | Security lessons learned never captured | Post-project reviews focus on schedule/budget | Same vulnerabilities repeated across projects | Mandate security lessons learned in closure template |
| 13 | Over-reliance on penetration testing as "security assurance" | Belief that pen test = secure | Pen test finds issues too late; limited coverage | Pen test is one layer; SAST/DAST/IAST + architecture review needed |
| 14 | Security exceptions granted without proper risk acceptance | Business pressure to go-live | Accepted risks not documented or escalated | Formal risk acceptance process; board-level for Critical risks |
| 15 | No security monitoring planned for new systems | Monitoring assumed to be "ops problem" | Undetected breaches; delayed response | Include monitoring design in project security requirements |
Illustrative Scenarios
Illustrative scenario, a composite example for guidance, not a specific Singahi engagement or a verified outcome.
Illustrative Scenario 1: Indian Growing Fintech, Secure Payment Platform Project
Organization: PayKwik Solutions Pvt. Ltd., a Bengaluru-based fintech startup with 180 employees, offering payment processing services to 2,500 Indian merchants.
Project: Development and launch of a new "PayKwik Express" real-time payment platform for UPI and card transactions.
Challenge:
- First-time ISO 27001 certification required to onboard a major e-commerce client
- Project team of 12 developers with limited secure coding experience
- Tight 6-month deadline driven by competitive market pressure
- Regulatory requirements: RBI Master Direction on Digital Payment Security, PCI DSS Level 1, DPDP Act 2023
- Budget constraints: Total security budget of for the project
Implementation Steps:
Step 1, Project Security Policy (Week 1): PayKwik engaged Singahi to draft a Project Security Policy tailored to their size. The policy defined two project security levels (Critical for payment systems, Standard for internal tools) and mandated a PSO for all Critical projects.
Step 2, Security Classification and PSO Assignment (Week 1): The PayKwik Express project was classified as Critical. The CTO was designated as PSO, with Singahi's Security Architect providing 2 days per week of guidance.
Step 3, Project Security Risk Assessment (Week 2): A dedicated risk assessment identified 18 risks. The top 5 were:
- Card data leakage through unencrypted logs (Risk Score: 20, Critical)
- UPI fraud via API manipulation (Risk Score: 16, Critical)
- Third-party payment gateway vulnerability (Risk Score: 12, High)
- Insider threat from developer access to production (Risk Score: 10, High)
- DDoS during festive season launch (Risk Score: 9, Medium)
Step 4, Threat Modeling (Week 3): Using STRIDE, the team identified 34 threats. The most critical, spoofing of merchant API credentials, led to a design change: moving from API-key authentication to mutual TLS with certificate pinning.
Step 5, Security Requirements and SRTM (Week 3): 47 security requirements were defined, covering encryption, authentication, logging, audit trails, and incident response. All were traced through design, code, and test.
Step 6, Secure Development and Testing (Weeks 4-18):
- SAST (SonarQube) integrated into GitHub Actions; every pull request scanned
- SCA (Snyk) tracked 156 dependencies; 3 vulnerable libraries replaced
- DAST (OWASP ZAP) ran nightly against the staging environment
- External penetration testing (Astra Security, ) conducted in Week 16
- 12 Critical/High vulnerabilities found; all remediated by Week 18
Step 7, Security Gates (Throughout): Four gates defined:
- Gate 1 (Design): Threat model and architecture review, passed after one revision
- Gate 2 (Build): SAST clean, no secrets in code, passed on first attempt
- Gate 3 (Test): DAST clean, pen test passed, passed after remediation
- Gate 4 (Go-Live): Security acceptance criteria, ops handover, passed
Step 8, Go-Live and Handover (Week 20): The platform went live with zero security incidents in the first 90 days. Operations received complete documentation, monitoring rules, and an incident response playbook.
Outcome:
- PayKwik achieved ISO 27001 certification with zero major non-conformities in the A.5.8 and A.8.25 areas
- Major e-commerce client onboarded within 30 days of go-live
- Security budget of was fully used; total project budget was (security: 17.8%)
- Post-go-live security incident count: 0 in 6 months
- The Project Security Policy and templates were reused for 3 subsequent projects
Key Lessons:
- Growing fintechs can achieve enterprise-grade project security with focused effort and the right templates
- External security expertise (Singahi) for 2 days/week provided sufficient guidance without full-time overhead
- Shift-left testing (SAST on every commit) prevented 80% of vulnerabilities from reaching test environments
- The PSO role does not require a dedicated security hire if the right person (CTO) is trained and supported
Illustrative Scenario 2: Large Indian Enterprise, Multi-Year ERP Transformation
Organization: BharatChem Industries Ltd., a Mumbai-headquartered chemical manufacturing conglomerate with 12,000 employees across 8 plants in India, 3 international offices, and annual revenue of . Listed on NSE and BSE.
Project: "Project Unity", a 3-year SAP S/4HANA ERP implementation replacing 7 legacy systems, covering finance, supply chain, manufacturing, HR, and customer management.
Challenge:
- Largest IT project in the company's 45-year history (budget: )
- Highly sensitive data: chemical formulas, customer contracts, employee records, financial data
- Regulatory exposure: SEBI listing regulations, DPDP Act 2023, Factories Act, environmental regulations
- Multi-vendor ecosystem: SAP implementation partner (Accenture), infrastructure provider (TCS), custom development vendor (local SI), cloud hosting (AWS India)
- 450+ users across 8 locations; complex role mapping from legacy systems
- Zero-downtime requirement for manufacturing plants (24/7 operations)
Implementation Steps:
Step 1, Enterprise Project Security Framework (Months 1-2): Singahi designed a complete Project Security Framework with:
- 4 security classification levels (Critical, High, Medium, Low)
- Methodology-specific playbooks (Waterfall for ERP core, Agile for custom mobile apps, Hybrid for integrations)
- Automated security gates in ServiceNow
- Dedicated PSO role for all Critical/High projects; 3 full-time PSOs hired
Step 2, Project Unity Security Governance (Month 1):
- Project Unity classified as Critical
- A dedicated Security Workstream was created within the program, led by a Senior Security Architect (reporting to CISO and Program Director)
- Monthly Security Steering Committee with CISO, CIO, Program Director, and vendor security leads
Step 3, Program-Level Security Risk Assessment (Month 2): A complete risk assessment identified 47 risks across the program. Top risks:
- Data corruption during migration from 7 legacy systems (Score: 25, Catastrophic)
- Unauthorized access to chemical formulas in SAP (Score: 20, Critical)
- Supplier data leakage during cloud migration (Score: 16, Critical)
- Inadequate segregation of duties in role design (Score: 15, Critical)
- Insider threat from disgruntled legacy system administrators (Score: 12, High)
Step 4, Security Architecture and Threat Modeling (Months 2-4):
- Enterprise threat model using PASTA methodology; 78 threats identified
- Security architecture designed for SAP S/4HANA on AWS India (Mumbai region) with:
- End-to-end TLS 1.3 encryption
- Field-level encryption for chemical formulas using AWS KMS with HSM
- Network segmentation: manufacturing OT network isolated from SAP IT network via DMZ
- Privileged Access Management (CyberArk) for SAP Basis and AWS admin accounts
- SIEM integration (Splunk) for all SAP security logs
Step 5, Vendor Security Management (Months 1-36):
- All 4 vendors underwent security assessments before contract signing (A.5.9)
- Security clauses in all contracts: right to audit, incident notification (24 hours), data residency (India only), breach liability ( cap)
- Quarterly vendor security reviews with evidence of patch management, access reviews, and training
- Accenture and TCS required to maintain ISO 27001 and SOC 2 Type II certifications
Step 6, Secure Development and Configuration (Months 4-24):
- SAP security baseline: 400+ configuration parameters hardened per CIS benchmarks
- Custom ABAP code: SAST using CodeProfiler; 67 security findings remediated
- Custom mobile app for plant supervisors: OWASP MASVS Level 2 compliance; penetration testing by Bishop Fox
- Integration middleware: API security gateway (Apigee) with OAuth 2.0, rate limiting, and request signing
Step 7, Data Migration Security (Months 20-28):
- 15 TB of legacy data migrated using a secure data pipeline
- Data classification: Public (5%), Internal (55%), Confidential (35%), Secret (5%, chemical formulas)
- Secret data encrypted with customer-managed keys before leaving legacy systems
- Data migration validated with checksums at every stage; 0.001% error rate
- Legacy system data wiped using NIST 800-88 Clear/Purge methods after migration verification
Step 8, Security Testing (Months 24-32):
- SAST/DAST on all custom code (continuous)
- Penetration testing (3 rounds):
- Round 1 (Month 24): Infrastructure and SAP basis, 23 findings, all remediated
- Round 2 (Month 28): Application layer, 18 findings, all remediated
- Round 3 (Month 32): End-to-end system, 9 findings, all remediated
- Red team exercise (Month 30): Simulated APT targeting chemical formula data, 2 attack paths identified, both closed
- Performance and security testing for manufacturing continuity: 99.99% uptime verified under load
Step 9, Security Gates (Throughout): 8 major gates across 3 years:
- Gate 1 (Design): Architecture and threat model, passed after 2 revisions
- Gate 2 (Vendor Onboarding): All vendor assessments complete, passed
- Gate 3 (Build, Core): SAP configuration hardened; SAST clean, passed after 1 revision
- Gate 4 (Integration): API security verified; data flows validated, passed
- Gate 5 (Data Migration): Migration integrity verified; legacy data destroyed, passed
- Gate 6 (Test, UAT): Pen test round 2 passed; no Critical/High open, passed after remediation
- Gate 7 (Go-Live Readiness): All acceptance criteria met; ops trained; IR ready, passed
- Gate 8 (Closure): Documentation complete; lessons learned; handover signed, passed
Step 10, Go-Live and Handover (Month 34-36):
- Phased go-live: Plant 1 (Month 34), Plants 2-4 (Month 35), Plants 5-8 + International (Month 36)
- Each phase had a 2-week security monitoring period before next phase
- Operations team received: 4,200 pages of security documentation, 47 runbooks, 12 incident response playbooks, Splunk dashboard templates
- 40-hour security training program for 45 SAP administrators and security staff
Outcome:
- Project Unity went live on schedule with zero security incidents during rollout
- ISO 27001 surveillance audit (Month 38): zero non-conformities in A.5.8, A.5.9, A.8.25, A.8.29
- SEBI compliance review passed without observations
- Post-go-live 12-month security incident count: 3 (all Low severity, detected and contained within 2 hours)
- Total security spend: (10% of project budget)
- Estimated impact of a chemical formula breach: + Crore (competitive advantage, regulatory penalties, customer trust), risk effectively mitigated
- The Project Security Framework was adopted as corporate standard for all subsequent projects
Key Lessons:
- Large enterprise projects require a dedicated Security Workstream, not just a part-time PSO
- Multi-year projects benefit from multiple rounds of penetration testing, not just one pre-go-live test
- Vendor security management must be enforced contractually and verified quarterly
- Phased go-live with security monitoring periods reduces risk and allows course correction
- The impact of complete project security (10% of budget) is negligible compared to the impact of a breach in a critical infrastructure sector
Multi-Framework Mapping
ISO 27001:2022 ↔ SOC 2 ↔ PCI DSS ↔ NIST 800-53 ↔ CIS Controls ↔ COBIT 2019 ↔ GDPR/DPDP
| ISO 27001:2022 A.5.8 | SOC 2 Trust Service Criteria | PCI DSS v4.0 | NIST 800-53 Rev 5 | CIS Controls v8 | COBIT 2019 | GDPR / DPDP Act 2023 |
|---|---|---|---|---|---|---|
| Information security in project management | CC6.1, Logical and physical access controls; CC7.2, System operations; CC8.1, Change management | Req 6.5.1, Change control procedures; Req 6.5.2, Security impact of changes; Req 11.3.2, Vulnerability management; Req 12.10.4, Incident response procedures | SA-15, Development process, standards, and tools; SA-17, Developer security architecture and design; CM-3, Configuration change control; RA-3, Risk assessment; CA-2, Security assessments; PL-8, Security and privacy architectures | CIS 1.0, Inventory and Control of Enterprise Assets; CIS 2.0, Inventory and Control of Software Assets; CIS 3.0, Data Protection; CIS 7.0, Continuous Vulnerability Management; CIS 8.0, Audit Log Management; CIS 16.0, Application Software Security | APO12.01, Manage risk; APO12.06, Manage portfolios; APO13.01, Manage security; BAI03.01, Manage programs; BAI03.02, Manage projects; BAI06.01, Manage changes; BAI06.02, Control changes; DSS05.01, Manage security services | GDPR Art. 25, Data protection by design and by default; GDPR Art. 32, Security of processing; GDPR Art. 35, DPIA; DPDP Act 2023 Section 8(5), Security safeguards; DPDP Act 2023 Section 9, Additional safeguards for children's data; DPDP Act 2023 Sections 11–14, Data principal rights (technical measures in projects) |
Detailed Control Mapping
ISO 27001 A.5.8 → NIST 800-53 Rev 5:
| A.5.8 Requirement | NIST 800-53 Control | NIST Control Description |
|---|---|---|
| Security requirements at project initiation | RA-3, Risk Assessment | Conduct risk assessments to identify threats, vulnerabilities, and impacts |
| Security roles in project team | PM-2, Information Security Program Leadership | Assign responsibility for security program oversight |
| Security architecture and design | PL-8, Security and Privacy Architectures | Develop and maintain security architectures |
| Security testing before acceptance | CA-2, Security Assessments | Assess security controls periodically |
| Security in change management | CM-3, Configuration Change Control | Control changes to the system |
| Secure development for software projects | SA-15, Development Process, Standards, and Tools | Ensure security in development processes |
| Security documentation | SA-5, System Documentation | Obtain and protect system documentation |
| Security handover | SA-9, External Information System Services | Manage security in external services |
ISO 27001 A.5.8 → CIS Controls v8:
| A.5.8 Requirement | CIS Control | CIS Safeguard |
|---|---|---|
| Security requirements in projects | CIS 16.1 | Establish and Maintain a Secure Application Development Process |
| Threat modeling | CIS 16.2 | Establish and Maintain a Software Inventory |
| Secure coding | CIS 16.3 | Perform Root Cause Analysis on Security Vulnerabilities |
| Security testing | CIS 16.4 | Implement and Manage a Remediation Process |
| Vulnerability management in projects | CIS 7.1 | Establish and Maintain a Vulnerability Management Process |
| Environment separation | CIS 16.5 | Separate Production and Non-Production Systems |
| Security documentation | CIS 16.6 | Establish and Maintain a Process to Accept and Address Software Vulnerabilities |
ISO 27001 A.5.8 → COBIT 2019:
| A.5.8 Requirement | COBIT Domain | COBIT Practice |
|---|---|---|
| Security in project governance | APO12 | Manage Risk |
| Project security integration | BAI03 | Managed Change |
| Security requirements | APO13 | Managed Security |
| Security testing and acceptance | BAI03.02 | Manage Projects |
| Change impact assessment | BAI06 | Managed Change |
| Security documentation | APO14 | Managed Data |
| Knowledge transfer | APO11 | Managed Quality |
Regulatory and Industry Context
India-Specific Regulations
| Regulation | Relevance to A.5.8 | Key Requirements for Projects | Penalty for Non-Compliance |
|---|---|---|---|
| DPDP Act 2023 | High | Appropriate technical and organisational measures (Section 8(4)); DPIA for high-risk processing (implied); security safeguards; children's data protection | Up to fine for failure to protect data; up to for other breaches |
| IT Act 2000 (as amended) | High | Section 43A: Compensation for failure to protect sensitive personal data; Section 66: Computer-related offences; CERT-In reporting obligations | Compensation claims; criminal penalties up to 3 years imprisonment; CERT-In directions |
| RBI Master Direction on Digital Payment Security | Critical for BFSI | Security in design of payment systems; vendor risk management; incident reporting; data localization | RBI license revocation; penalties; business restrictions |
| SEBI CIR/MIRSD/2/2011 and subsequent circulars | Critical for listed entities | Security in IT projects; vendor management; data protection; incident reporting to SEBI | SEBI enforcement actions; trading restrictions; penalties up to per violation |
| IRDAI Guidelines on Information Security | Critical for insurance | Security in core insurance system projects; customer data protection; third-party risk | License conditions; penalties; business restrictions |
| CERT-In Directions 2022 | High for all | Mandatory incident reporting within 6 hours; data localization for certain sectors; log retention | Non-compliance can lead to blocking of services; legal action |
| MeitY Rules for Intermediaries | High for tech platforms | Security measures in platform design; data retention; traceability; content moderation | Safe harbour loss; blocking; legal liability |
| Companies Act 2013 (Section 134) | Moderate for all companies | Board responsibility for internal controls; risk management; whistleblower mechanisms | Director liability; fines; imprisonment in fraud cases |
| Telecom Security Requirements (DoT) | Critical for telecom/TSP | Security in telecom infrastructure projects; lawful interception; network integrity | License revocation; spectrum penalties |
International Regulations
| Regulation | Jurisdiction | Project Security Relevance |
|---|---|---|
| GDPR (Regulation 2016/679) | EU + EEA | Art. 25: Data protection by design and by default; Art. 32: Security of processing; Art. 35: DPIA for high-risk processing |
| CCPA/CPRA | California, USA | Security measures in system design; reasonable security procedures; breach notification |
| HIPAA Security Rule | USA healthcare | Security in healthcare IT projects; risk analysis; technical safeguards; access controls |
| NIS2 Directive | EU | Security in critical infrastructure projects; supply chain security; incident reporting; vulnerability management |
| SOX Section 404 | USA public companies | Security in financial IT projects; internal controls; change management; audit trail |
| PCI DSS v4.0 | Global (payment card industry) | Secure development for payment systems; change control; vulnerability management; penetration testing |
| FedRAMP | USA federal cloud | Security in cloud service projects; continuous monitoring; authorization |
| APPI (Japan) | Japan | Security measures in personal information handling systems; third-party supervision |
| PDPA (Singapore) | Singapore | Protection obligation; data protection by design; breach notification |
| LGPD (Brazil) | Brazil | Security in personal data processing projects; technical and administrative measures |
Industry-Specific Context
| Industry | Project Security Considerations | Key Standards/Best Practices |
|---|---|---|
| Banking and Financial Services | RBI-mandated security in all digital projects; PCI DSS for card projects; UPI security norms; data localization | RBI circulars, PCI DSS, NIST CSF, ISO 27001 |
| Insurance | IRDAI security guidelines; customer data protection in policy systems; claim processing security | IRDAI guidelines, ISO 27001, COBIT |
| Healthcare and Pharma | Patient data protection (sensitive personal data under DPDP); drug trial data integrity; FDA 21 CFR Part 11 for e-records | HIPAA, DPDP Act, GxP, ISO 27001 |
| IT/ITES and SaaS | Customer contractual security requirements; SOC 2 from project start; multi-tenant security; API security | SOC 2, ISO 27001, ISO 27017, OWASP, CSA STAR |
| Manufacturing | OT/IT convergence security; ICS/SCADA security; supply chain security; Industry 4.0 | IEC 62443, NIST SP 800-82, ISO 27001 |
| Retail and E-commerce | Payment security; customer data protection; inventory system security; POS security | PCI DSS, DPDP Act, ISO 27001 |
| Education (EdTech) | Children's data protection; student privacy; online proctoring security; content security | DPDP Act (children's data), COPPA (USA), ISO 27001 |
| Government and Public Sector | CERT-In compliance; e-governance security; citizen data protection; national security considerations | CERT-In directions, ISO 27001, GIGW (Guidelines for Indian Government Websites) |
| Telecom | Network security; lawful interception; 5G security; subscriber data protection | DoT security requirements, 3GPP, ISO 27001 |
| Energy and Utilities | Critical infrastructure protection; smart grid security; SCADA/ICS security | CERC guidelines, IEC 62351, NERC CIP (USA), ISO 27001 |
Roles and Responsibilities (RACI)
Project Security Activities RACI Matrix
| # | Activity | Board / CEO | CISO | CIO / CTO | PMO Director | Project Manager | Project Security Officer (PSO) | Security Architect | Development Lead | Operations Manager | Compliance Officer |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Approve Project Security Policy | A | R | C | C | I | I | I | I | I | C |
| 2 | Define Project Security Framework | I | A | C | R | C | C | R | I | C | C |
| 3 | Classify Project Security Level | I | A | C | C | R | R | C | I | I | C |
| 4 | Assign PSO for Project | I | A | C | R | R | I | I | I | I | I |
| 5 | Conduct Project Security Risk Assessment | I | A | I | C | C | R | C | I | I | C |
| 6 | Define Security Requirements | I | C | I | C | R | R | C | C | I | C |
| 7 | Conduct Threat Modeling | I | C | I | I | C | R | R | C | I | I |
| 8 | Design Security Architecture | I | C | I | I | C | C | R | C | I | I |
| 9 | Review Security Architecture | I | A | C | I | C | R | R | C | I | C |
| 10 | Approve Security Budget | A | C | R | C | R | I | I | I | I | I |
| 11 | Enforce Secure Coding Standards | I | A | I | I | C | C | C | R | I | I |
| 12 | Execute SAST / DAST / SCA | I | A | I | I | C | R | C | R | I | I |
| 13 | Conduct Penetration Testing | I | A | I | I | C | R | C | C | I | C |
| 14 | Define Security Acceptance Criteria | I | A | I | I | C | R | C | C | C | C |
| 15 | Execute Security Gate Reviews | I | A | I | C | C | R | C | I | I | C |
| 16 | Approve Go-Live (Security Sign-off) | I | A | C | C | C | R | C | I | I | C |
| 17 | Create Security Documentation | I | C | I | I | C | R | C | C | C | I |
| 18 | Conduct Security Handover to Ops | I | C | I | I | C | R | C | I | R | I |
| 19 | Update Incident Response Plan | I | A | I | I | C | R | C | I | R | I |
| 20 | Capture Security Lessons Learned | I | C | I | C | R | R | C | C | I | I |
| 21 | Maintain Project Security Records | I | A | I | C | C | R | I | I | I | C |
| 22 | Audit Project Security Compliance | I | A | I | I | I | C | I | I | I | R |
| 23 | Report Project Security Metrics | I | R | C | C | C | C | I | I | I | C |
| 24 | Drive Continuous Improvement | I | A | C | R | C | R | C | C | C | C |
Legend:
- R = Responsible (does the work)
- A = Accountable (ultimately answerable; approves)
- C = Consulted (provides input)
- I = Informed (kept updated)
Role Descriptions
| Role | Key Responsibilities | Typical Designation in Indian Organizations |
|---|---|---|
| Board / CEO | Strategic oversight; policy approval; budget authorization for Critical projects; risk acceptance for catastrophic risks | Managing Director, CEO, Chairman |
| CISO | Accountable for all project security; approves framework; signs off Critical/High project go-lives; reports to board | Chief Information Security Officer, Head of Security |
| CIO / CTO | Ensures IT projects align with security requirements; provides technical resources; approves architecture | Chief Information Officer, Chief Technology Officer |
| PMO Director | Manages project portfolio; ensures security integration across all projects; assigns PSOs; monitors metrics | PMO Head, Director of Program Management |
| Project Manager | Responsible for project delivery; integrates security into project plan; manages security budget and schedule | Project Manager, Scrum Master, Program Manager |
| Project Security Officer (PSO) | Day-to-day security accountability for the project; requirements, reviews, acceptance, handover; reports risks | Security Analyst (dedicated), or Security Champion (part-time) |
| Security Architect | Designs security architecture; conducts threat modeling; reviews designs; guides technical security decisions | Security Architect, Principal Security Engineer |
| Development Lead | Ensures secure coding; manages SAST/DAST; fixes vulnerabilities; trains developers | Tech Lead, Engineering Manager, Development Manager |
| Operations Manager | Receives security handover; maintains security in production; executes incident response | IT Operations Manager, DevOps Lead, Site Reliability Engineer |
| Compliance Officer | Ensures regulatory compliance in projects; audits; legal review; evidence management | Company Secretary, Compliance Head, Legal Counsel |
Documentation and Evidence Requirements
Mandatory Evidence by Phase
| Phase | Document / Evidence | Retention Period | Format | Owner |
|---|---|---|---|---|
| Initiation | Project Security Classification | Project duration + 7 years | Electronic (PM tool) | PMO |
| Initiation | Project Security Risk Assessment | Project duration + 7 years | PDF / Word | PSO |
| Initiation | Security Requirements Specification (SRS) | Project duration + 7 years | Word / Confluence | PSO |
| Initiation | Project Security Officer Assignment | Project duration + 7 years | Email / HR record | PMO |
| Planning | Security Requirements Traceability Matrix (SRTM) | Project duration + 7 years | Excel / Jira | PSO |
| Planning | Security Gate Criteria and Plan | Project duration + 7 years | Word / PM tool | PM |
| Design | Threat Model | Project duration + 7 years | PDF / Threat modeling tool | Security Architect |
| Design | Security Architecture Document | Project duration + 7 years | PDF / Visio / Draw.io | Security Architect |
| Design | Security Architecture Review Minutes | Project duration + 7 years | PDF / Word | PSO |
| Build | SAST Scan Reports | Project duration + 7 years | PDF / Tool export | DevSecOps |
| Build | SCA Scan Reports | Project duration + 7 years | PDF / Tool export | DevSecOps |
| Build | Secrets Scanning Reports | Project duration + 7 years | PDF / Tool export | DevSecOps |
| Build | Security Code Review Records | Project duration + 7 years | Tool record / Email | Development Lead |
| Build | Security Defect Tracking Log | Project duration + 7 years | Jira / Excel | PSO |
| Test | DAST Scan Reports | Project duration + 7 years | PDF / Tool export | DevSecOps |
| Test | Penetration Test Report | Project duration + 7 years | External vendor / CISO | |
| Test | Security Test Execution Report | Project duration + 7 years | PDF / Test tool | QA Lead |
| Test | Vulnerability Remediation Evidence | Project duration + 7 years | Tool record / Screenshot | Development Lead |
| Deployment | Deployment Security Checklist | Project duration + 7 years | PDF / Checklist tool | Operations Manager |
| Deployment | Hardening Verification | Project duration + 7 years | PDF / Script output | Operations Manager |
| Deployment | Security Acceptance Sign-off | Project duration + 7 years | PDF / Workflow record | CISO / PSO |
| Closure | Security Documentation Package | Permanent (as long as system is operational) | Confluence / SharePoint | PSO |
| Closure | Security Handover Sign-off | Project duration + 7 years | PDF / Workflow | Operations Manager |
| Closure | Lessons Learned Log | Permanent (knowledge base) | Confluence / Wiki | PM |
| Closure | Updated Incident Response Plan | Permanent (version controlled) | PDF / Word | Security Operations |
| Ongoing | Project Security Audit Records | 7 years from audit date | PDF / Audit tool | Internal Audit |
| Ongoing | Project Security Metrics Dashboard | 3 years | BI tool / Excel | PMO / CISO |
Evidence Retention Requirements
| Requirement Source | Minimum Retention | Notes |
|---|---|---|
| ISO 27001:2022 | Not specified; organization defines | Typically 3-7 years for project records |
| DPDP Act 2023 | As long as data is processed + 7 years | Personal data processing records |
| IT Act 2000 | 3 years (general) | Electronic records |
| RBI | 5 years | Payment system records |
| SEBI | 8 years | Listed company records |
| PCI DSS | 1 year for scan reports; 3 years for pen tests | Payment security evidence |
| SOX (if applicable) | 7 years | Financial system change records |
| Singahi Recommended | Project duration + 7 years | Covers all regulatory requirements |
Evidence Organization
For audit readiness, organize evidence in a structured repository:
/Project-Security-Evidence/
/YYYY/
/[Project-Code]/
/01-Initiation/
- Security-Classification.pdf
- Risk-Assessment.pdf
- SRS.pdf
- PSO-Assignment.pdf
/02-Planning/
- SRTM.xlsx
- Security-Plan.pdf
/03-Design/
- Threat-Model.pdf
- Security-Architecture.pdf
- Architecture-Review-Minutes.pdf
/04-Build/
- SAST-Reports/
- SCA-Reports/
- Secrets-Scan-Reports/
- Code-Review-Records/
/05-Test/
- DAST-Reports/
- Pen-Test-Report.pdf
- Security-Test-Report.pdf
/06-Deployment/
- Deployment-Checklist.pdf
- Security-Acceptance-Signoff.pdf
/07-Closure/
- Security-Documentation.pdf
- Handover-Signoff.pdf
- Lessons-Learned.pdf
- Updated-IR-Plan.pdf
Continuous Improvement
The Continuous Improvement Cycle for Project Security
Plan → Do → Check → Act
Plan:
- Review project security metrics quarterly
- Identify trends in security gate failures, vulnerability types, and post-go-live incidents
- Update project security policy, templates, and training based on findings
- Benchmark against industry standards and competitor practices
Do:
- Deploy updated templates and procedures to new projects
- Deliver refresher training to project managers and PSOs
- Implement new security tools or automation
- Run pilot projects with improved practices
Check:
- Measure KPIs before and after changes
- Conduct internal audits of project security implementation
- Gather feedback from project teams on usability of security processes
- Review post-go-live incident data for security root causes
Act:
- Standardize improvements that prove effective
- Eliminate or redesign processes that cause friction without adding value
- Update the organization's knowledge base and playbooks
- Report improvements to management and incorporate into governance
Project Security Maturity Model
| Level | Name | Characteristics | Evidence | Typical Organization |
|---|---|---|---|---|
| 1, Initial | Ad-hoc | Security is reactive and inconsistent. No formal policy. Security addressed only when incidents occur or auditors demand it. | No policy; no templates; security findings in project post-mortems only | Unstructured startups; very small businesses |
| 2, Developing | Basic Policy | Project security policy exists but is not enforced. Security is a checklist item. Some projects have security requirements; most do not. | Policy document; basic checklist; inconsistent application across projects | SMEs beginning ISO 27001 journey; 1-2 security-conscious PMs |
| 3, Defined | Standardized | Formal policy enforced. All projects have security classification and risk assessment. Security gates defined and followed for Critical projects. PSO role exists. | Policy + procedure + templates; 100% Critical project coverage; PM tool integration; training program | Growing companies pursuing certification; 250-5000 employees |
| 4, Managed | Measured | Security metrics collected and reviewed. Security gates automated where possible. Shift-left testing (SAST/DAST in CI/CD). Threat modeling standard for High/Critical. Continuous improvement active. | Dashboard with KPIs; automated gates; CI/CD security integration; quarterly improvement reviews; pen testing for all High/Critical | Large enterprises; mature SaaS companies; banks |
| 5, Optimizing | Strong | AI-assisted risk scoring. Real-time security monitoring of projects. Security is a competitive advantage. Industry leadership in secure development. Continuous feedback from production to project templates. | Predictive risk analytics; automated threat intelligence integration; industry contributions; zero post-go-live incidents; security innovation program | Global tech leaders; top-tier banks; defence organizations |
Improvement Triggers and Actions
| Trigger | Action | Responsible | Timeline |
|---|---|---|---|
| Security gate failure rate >15% | Root cause analysis of failed gates; template/process refinement | PMO + CISO | 2 weeks |
| Post-go-live security incident | Incident retrospective; project security process review; template update if needed | Security Operations + PSO | 1 week |
| New regulation (e.g., DPDP Act amendment) | Policy review; regulatory mapping update; training on new requirements | Compliance Officer + CISO | 4 weeks |
| New technology introduction (e.g., AI/LLM) | Update threat modeling methodology; create secure AI development playbook; train architects | Security Architect + CISO | 6 weeks |
| Major security breach in industry | Industry threat analysis; review of similar projects; control enhancement | CISO + Threat Intelligence | 2 weeks |
| Customer audit finding | Corrective action; process update; evidence enhancement | PSO + CISO | 1 week |
| ISO 27001 surveillance non-conformity | Corrective action plan; root cause analysis; preventive action | CISO + Internal Audit | 4 weeks |
| Annual management review | Full policy and framework review; KPI trend analysis; improvement plan | CISO + PMO | Annual |
FAQ
General Questions
Q1: Does A.5.8 apply to non-IT projects? A: Yes. The standard explicitly states "regardless of the type of project." This includes HR projects, marketing campaigns, office renovations, M&A activities, and research projects. Any project that introduces change to the organization or handles information must address security.
Q2: What is the difference between A.5.8 and A.8.25? A: A.5.8 is the project management control, it ensures security is addressed at the project level (planning, governance, risk, resources). A.8.25 is the technical development control, it ensures security practices are embedded in the software development lifecycle (requirements, design, code, test). For software projects, you need both. A.5.8 governs the project manager; A.8.25 governs the development team.
Q3: Do we need a full-time Project Security Officer for every project? A: No. For Critical projects, a dedicated or heavily supported PSO is recommended. For High projects, a part-time PSO (20-30% allocation) is sufficient. For Medium projects, a trained project manager can act as PSO with security team support. For Low projects, the standard PM process with a security checklist is adequate. The key is that security accountability is named, not that it is a separate headcount.
Q4: How do we handle security in Agile/Scrum projects where requirements change frequently? A: Integrate security into the sprint rhythm: Sprint 0 for threat modeling and security requirements; every sprint for security review in retrospectives; automated SAST/DAST in CI/CD; release planning for security risk review; pre-release for security acceptance. Security in Agile is about continuous attention, not phase gates.
Q5: What percentage of project budget should be allocated to security? A: Industry benchmarks suggest 8-15% for Critical projects, 5-10% for High, 3-5% for Medium, and 1-2% for Low. However, the percentage varies by industry. Fintech and healthcare projects often spend 15-20% on security. A manufacturing IT refresh might spend 3-5%. The key is that security is explicitly budgeted, not treated as a contingency.
Q6: Can we use the same risk assessment for multiple projects? A: No. A.5.8 requires security to be addressed in project management "regardless of the type of project." Each project introduces unique risks based on its scope, technology, data, and third parties. While organizational risks provide context, each project must have its own risk assessment. Using a generic risk assessment is a common audit failure.
Implementation Questions
Q7: We have no formal PMO. Can we still comply with A.5.8? A: Yes. A.5.8 does not require a PMO. It requires that security be addressed in project management. For organizations without a PMO, define a lightweight process: classify the project, assign a PSO, conduct a risk assessment, define security requirements, review at milestones, and sign off before go-live. Use templates to make this repeatable.
Q8: How do we enforce project security when business teams bypass IT for SaaS projects? A: This is shadow IT and a major security risk. Implement a project intake process where all projects, including SaaS procurement, must register with IT/Security. Use a lightweight security assessment for SaaS projects (vendor SOC 2 review, data residency check, DPA requirement). Make it easy to comply, not bureaucratic, but ensure no project goes live without security review.
Q9: What is the minimum viable project security process for a 20-person startup? A: For startups, keep it simple but documented: (1) Security checklist for every project, (2) One person named as security lead (founder/CTO), (3) Risk assessment for any project handling customer data, (4) Security review before go-live, (5) Basic documentation. As you grow, add templates, automated testing, and dedicated PSOs.
Q10: Should security gates be automated or manual? A: Start with manual gates for the first 6-12 months. Once the process is mature, automate what you can: SAST/DAST pass/fail in CI/CD, vulnerability threshold checks, compliance checklist completion in ServiceNow/Jira. Keep human judgment for architecture reviews, threat modeling, and final go-live decisions. Automation should support, not replace, security expertise.
Q11: How do we integrate A.5.8 with our existing SDLC (Waterfall, Agile, DevOps)? A: Map your existing phases to the security activities in Section 8 of this guide. For Waterfall, add security gates at the end of each phase. For Agile, add security to Sprint 0 and every sprint retrospective. For DevOps, embed security tools in the CI/CD pipeline and use automated gates. The activities are universal; the timing adapts to your methodology.
Q12: What is the difference between a security gate and a security review? A: A security review is an activity where security is evaluated. A security gate is a decision point where the project cannot proceed until security criteria are met. All gates include reviews, but not all reviews are gates. For example, a monthly security review is informational; a go-live security gate is a hard stop.
Audit and Compliance Questions
Q13: What evidence do auditors typically ask for A.5.8? A: Auditors will sample 3-5 projects (active and closed) and ask for: project classification, risk assessment, security requirements, threat model (if applicable), SAST/DAST reports, pen test report, security acceptance sign-off, and lessons learned. They will also interview the PM and PSO to verify the process is understood and followed.
Q14: Can a project go live with known security vulnerabilities? A: Only if the risk is formally accepted by the appropriate authority (CISO for High/Critical; board for catastrophic). The acceptance must document the vulnerability, the compensating controls, the risk impact, and the remediation timeline. "We'll fix it later" without formal acceptance is an audit failure and a breach waiting to happen.
Q15: How does A.5.8 relate to DPDP Act 2023 compliance? A: The DPDP Act requires "reasonable security safeguards" (Section 8(5)) and additional safeguards for children's data (Section 9). A.5.8 ensures that these safeguards are designed into projects from the start. Projects handling personal data must include DPDP requirements in their security requirements, conduct a data protection impact assessment (DPIA) for high-risk processing where applicable, and verify compliance before go-live.
Q16: What happens if we fail a security gate? A: The project cannot proceed past the gate until the failure is addressed. The PSO documents the failure, the remediation plan, and the timeline. The project manager reschedules downstream activities. For repeated failures, escalate to the CISO and PMO Director for process review. Failing a gate is not a punishment; it is a mechanism to prevent vulnerable systems from reaching production.
Q17: Do we need penetration testing for every project? A: No. Penetration testing is required for Critical projects and recommended for High projects. Medium projects can use DAST. Low projects may rely on standard hardening and vulnerability scanning. However, if a project handles sensitive data or has internet-facing components, consider pen testing regardless of classification. The goal is risk-appropriate testing, not blanket testing.
Q18: How do we manage project security for outsourced development? A: Apply A.5.9 (Supplier Relationships) alongside A.5.8. Include security requirements in the RFP and contract. Require the vendor to follow your security standards or equivalent (e.g., their ISO 27001). Conduct vendor security assessments. Include security acceptance criteria in deliverables. Require the vendor to provide SAST/DAST reports and pen test results. Include right-to-audit clauses.
Q19: How long should we retain project security evidence? A: Singahi recommends project duration + 7 years. This covers ISO 27001 surveillance audits (3 years), DPDP Act requirements, RBI/SEBI retention rules, and potential legal proceedings. For systems that remain operational long after the project closes, maintain security documentation as long as the system exists.
Q20: Can we use open-source tools for project security? A: Yes. Many excellent open-source tools exist: OWASP ZAP (DAST), SonarQube Community Edition (SAST), OWASP Dependency-Check (SCA), GitLeaks (secrets), OWASP Threat Dragon (threat modeling). Open-source tools are sufficient for compliance if they are properly configured, maintained, and their output is documented. However, enterprise editions often provide better reporting, integration, and support, which may be worth the investment for larger organizations.
References and Further Reading
ISO Standards
- ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection, Information security management systems, Requirements
- ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection, Information security controls, Clause 5.8
- ISO/IEC 27003:2017, Information security management system, Guidance
- ISO/IEC 27005:2022, Information security risk management
- ISO/IEC 27007:2020, Guidelines for information security management systems auditing
- ISO/IEC 27034:2021, Application security, Multiple parts
Indian Regulations and Guidelines
- Digital Personal Data Protection Act 2023, Government of India, Ministry of Electronics and Information Technology
- Information Technology Act 2000 (as amended in 2008), Government of India
- CERT-In Directions 2022, Indian Computer Emergency Response Team, Ministry of Electronics and Information Technology
- RBI Master Direction on Digital Payment Security Controls, Reserve Bank of India, 2021
- SEBI Circular CIR/MIRSD/2/2011, Cyber Security and Cyber Resilience framework for Stock Exchanges, Depositories, and Clearing Corporations
- SEBI Circular SEBI/HO/MIRSD/CIR/P/2022/70, Cyber Security and Cyber Resilience framework for AMCs, KYC Registration Agencies, and other SEBI-regulated entities
- IRDAI Guidelines on Information and Cyber Security for Insurers, Insurance Regulatory and Development Authority of India, 2017
- MeitY Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
- National Cyber Security Policy 2013, Ministry of Electronics and Information Technology
International Frameworks
- NIST SP 800-53 Rev 5, Security and Privacy Controls for Information Systems and Organizations
- NIST Cybersecurity Framework (CSF) 2.0, National Institute of Standards and Technology, 2024
- CIS Controls v8, Center for Internet Security
- COBIT 2019, Control Objectives for Information and Related Technologies, ISACA
- PCI DSS v4.0, Payment Card Industry Data Security Standard
Secure Development and Project Security
- OWASP Software Assurance Maturity Model (SAMM), Open Web Application Security Project
- OWASP Application Security Verification Standard (ASVS) 4.0, Open Web Application Security Project
- OWASP Top 10:2021, Open Web Application Security Project
- Microsoft Security Development Lifecycle (SDL), Microsoft Corporation
- BSIMM14 (Building Security In Maturity Model), Synopsys
- SAFECode Fundamentals of Software Security, Software Assurance Forum for Excellence in Code
Threat Modeling and Architecture
- Adam Shostack, Threat Modeling: Designing for Security, Wiley, 2014
- Microsoft Threat Modeling Tool Documentation, learn.microsoft.com
- OWASP Threat Dragon, threatdragon.org
Industry Reports and Statistics
- Verizon Data Breach Investigations Report (DBIR) 2024, Verizon Business
- IBM impact of a Data Breach Report 2024, IBM Security
- CERT-In Annual Report 2023-2024, Indian Computer Emergency Response Team
Project Management Standards
- PMBOK Guide 7th Edition, Project Management Institute
- PRINCE2 7, AXELOS / PeopleCert
- SAFe 6.0, Scaled Agile Framework