By contrasting the ISO/IEC 27001 Information Security Management System (ISMS) and Project Management Book of Knowledge (PMBOK), you will realize there are many benefits and synergies to capitalize on. With over 20 years experience as project manager, I have witnessed firsthand where PMBOK had its shortfalls, and creativity was brought in to get the job done. These shortfalls often relate to culture and operations.
The PMBOK 7th edition introduces a value delivery system that is less prescriptive and more principle-based, making it more adaptable to various projects and environments. This edition includes eight performance domains that align with the ISMS through ISO/IEC 27001. Rather than focusing solely on completing project processes accurately as a measure of success, the 7th edition shifts to delivering value and aligning project outcomes with organizational goals.
Upon receiving my ISO/IEC 27001 certification, I reflected on my prior clients and realized how many were unknowingly working towards an ISMS. ISO/IEC 27001 incorporates people, process, and technology controls to protect valued assets from multiple angles. It is designed to be applicable to any organization or industry. While most frameworks are specific to an industry or function, such as CIP or NIST, ISO/IEC 27001 can be used for both and increase the chances of success because it addresses the business side as well.
After managing a variety of CIP, NIST CSF, risk management, CIS, privacy, and ISO projects, I find ISO/IEC 27001 to be the most thorough and practical. I highlight ISO standards because of the management system they bring into focus. The cohesive collection of people, processes, and technologies integrates to strengthen your information security.
All the mentioned frameworks or regulations hold significant value for prescribing specific outcomes and programs in targeted environments. The challenge comes when implementing projects in an organization’s culture and structure. These frameworks often assume that culture and structure will not be an issue and are not considered during implementation. They focus on their purpose applicable to that environment. ISO/IEC 27001, however, considers these variables.
Take security patch management, for example. When a security patch is released, you must examine its applicability, assess the vulnerability and risk, decide when to implement it, or compensate with mitigating controls. Each regulation, framework, or standard holds it specific requirements which may add or remove from security patch management. This process is clear in its steps, but applying it to an organization that did not do this before requires several controls. Resistance to the new process, new policies, overloaded tasks, different constraints and rules in the IT and OT environments, commitments to new measures, and escalation to leaders are only a few factors to consider.
I’m not trying to single out PMBOK and shame it against ISMS. Instead, I’d like to highlight the benefits of marrying the two. As a project manager, there have been many projects where the project structure was different from the enterprise. Specific deliverables were needed but weren’t compatible with the operations. This happens more often than one might think, whether admitted or not. But if projects took an approach similar to ISMS, new opportunities might be discovered.
When I say ISO/IEC 27001 can be used, I don’t mean to get certified or to voluntarily implement it fully. A fully implemented ISMS would, of course, strengthen your entire security posture, but it can be cherry-picked to your requirements and evolved from there.
Projects have a finite beginning and end, while ISMS can take both forms. It implements the ISMS and then continues it. In the ISO/IEC 27001 Lead Implementer course, it actually recommends using PMBOK practices for reliable implementation of an ISMS. PMBOK may fall short with culture and structure, where ISMS meets this gap. Training, awareness, competencies, management meetings, integration with external regulations, and risk management are only a few aspects to mention.
The PMBOK 7th edition focuses on flexibility and value, just as ISO/IEC 27001 does. One size does not fit all. As with the examples provided above, practicing the same approach with a project and operations creates a streamlined program. Changes will happen as the business evolves, and measuring success by completing processes in accordance with a standard does not equate to success.
The primary takeaway I’d like to impress is the benefit of marrying the two. Understand the operations through ISO/IEC 27001 requirements and bake them into your project implementation using the PMBOK. Aligning your project with organizational goals and objectives creates continuity in operations. When managing a project, using a standard like ISO/IEC 27001 should support your project activities by highlighting where to focus more efforts.
For more information about the benefits of ISO/IEC 27001, I invite you to download our presentation on “ISMS Program Benefits” or reach out to us directly.
