A.5.8 Information Security in Project Management
What is this control?
ISO 27001 control A.5.8 Information Security in Project Management integrates information security throughout the project management lifecycle. Security requirements, risk assessments, and controls must be defined, approved, and embedded into project management and development processes, ensuring security is addressed from inception through completion. This control applies to both internal development projects managed in Azure DevOps and procurement projects requiring vendor security assessment.
How to implement in Microsoft 365
Implement A.5.8 by configuring custom Azure DevOps work item templates with mandatory security fields including Security Requirements, Privacy Impact Assessment, Identity and Access Requirements, Logging and Monitoring Requirements, and Data Classification. Enforce workflow state transitions preventing work items from moving to In Development until security fields are completed. Require CISO formal approval documented in ADO work item discussion history before development proceeds.
Implement branch protection policies requiring peer review and Microsoft Defender for DevOps scan success. Prohibit direct commits to main branch with all code changes via Pull Request. Apply the same security framework to procurement with vendor assessment questionnaires.
What an auditor looks for
Auditors will verify that ADO work item templates contain mandatory security fields covering Security Requirements, PIA, Identity and Access, Logging and Monitoring, and Data Classification. They will check for evidence of CISO approval in work item discussion history before In Development state. Auditors will review branch policy configuration requiring PR, peer review, and Defender for DevOps scan.
They will verify absence of direct commits to main branch. Auditors will examine service principal configurations with time-limited JIT RBAC permissions and review vendor assessment questionnaires for procured services.