Project

Management
Policy

1
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Project Management Policy
Version Control
Owner Version Edited By Date Change History
IS Rep 0.1 Assent 22/03/2017 First Draft

Distribution
Held Format Location Comments
By
Digital / Physical

Status
X Status Approved By Date
X Working DD/MM/YYYY
Draft
Provisional Approval
Publication

Classification
X Confidential
Restricted
Unclassified

Relevance to Standard

Standard Clause Title

[ISO 27001:2013] [A6.1.5] [Information Security in Project

Management]

License

Licensed by Assent Risk Management via Resilify.io Under a Creative Commons Share Alike License.

2
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Contents

Project Management Policy_______________________________________________________________________2

Contents_______________________________________________________________________________________________3
Project Management Policy_______________________________________________________________________4
1.0 Overview______________________________________________________________________________________4
2.0 Policy___________________________________________________________________________________________4
2.1 Definition of a Project_________________________________________________________________________________4
2.2 Business Case__________________________________________________________________________________________4
2.3 Project Initiation Document__________________________________________________________________________5
2.4 Information Security__________________________________________________________________________________5
2.5 Project Planning_______________________________________________________________________________________6
2.6 Communication________________________________________________________________________________________6
2.7 Project Close___________________________________________________________________________________________6

3
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Project Management Policy

1.0 Overview

From time to time the organization may be required to run formal projects. This
policy sets out the overarching project management approach including
consideration of Information Security Aspects of Projects.

2.0 Policy

2.1 Definition of a Project

An activity will be deemed a project where the following criteria are met:

 The activity’s purpose is to implement a major change, or significant

number of smaller changes according to a defined business case.

 The activity is intended to be temporary to achieve a specified result

or set of deliverables.

2.2 Business Case

Before starting a project, a business case will be defined and include

 Why do we need to undertake this project?

 What are the business benefits?
 What are the risks?
 What are the potential costs?
 How long will the project take?

The business case must be approved by a board member or other senior

authority within the company before proceeding to step 2.3.

4
© Distributed by Resilify.io under a Creative Commons Share Alike License.
 2.3 Project Initiation Document

When the business case has been approved, a project manager should be
designated. This may be an additional role for an existing staff member, a
dedicated member of staff or an external third party.

Where third parties are used, ensure the proper [Purchasing or

Procurement process] is followed.

The project manager should engage with all relevant parties to expand the
business case and produce a project initiation document.

The Project Initiation Document should contain:

 Background to the Project

 Objectives
 Scope and Exclusions
 Outline Project Deliverables
 Project Team
 Controls and Constraints
 Project Interfaces
 Tolerances 
 Quality Expectations
 Acceptance criteria
 Risk Log – including Information Security Risks
 High Level Project Plan
 Key Milestones

2.4 Information Security

It is important to maintain an acceptable risk profile during a project when

people, information assets and situations may be changing.

The risk register should consider any changes that could affect information
security at all stages of the project, and within the deliverables.

The project risk log should include mitigating controls, including those from
ISO 27001 Annex A.

Where the implementation of these controls differs on the project, a

separate SOA document should be considered.

All staff affected by project risks should be made aware of the associated
controls, including when they are to be effective; regardless of whether
they are part of the project team or not.
5
© Distributed by Resilify.io under a Creative Commons Share Alike License.
 2.5 Project Planning

The high-level project plan and key milestones will be expanded by the
project manager, working with relevant stakeholders at each stage.

Changes to the project plan will be communicated to all interested parties,

both internal and external.

2.6 Communication

A regular project meeting will be held to monitor progress against the

project plan and ensure the project will still meet the original business
case.

Meetings may be held in person or via an online platform.

Any actions arising from these meetings will be communicated to all

interested parties.

2.7 Project Close

When all the identified deliverables have been met, or justifiably changed,
the project manager will close the project by passing all relevant
documentation to the operational team responsible for business as usual.  

Lessons learnt from the project’s performance will be noted, where

possible, and template project documentation updated where necessary.

Project documentation will be archived.

6
© Distributed by Resilify.io under a Creative Commons Share Alike License.