The integration points of these two work-streams is a fundamentally win or loose break-point for most organizations.

If someone were to try and convince me that the project manager of a non-security specific strategic initiative would hold security priority above business objectives I would have to say that will never happen! After all business requirements drive information security needs and information security professionals are business enablers.

This is why the adoption of the ISO 27001 management system with a governance committee overseeing the security program is fundamental if that governance committee represents the Executive portfolios across the organization and not just IT. The integration of control points defined in Annex A is equally crucial to ensuring that information security is seamless..

One of my more successful strategies is to collaboratively develop a one page risk assessment for the project manager to facilitate. Its added to a list of required PMO documents for every project. The 10 - 12 questions are weighted and if the conclusion exceeds a threshold the Information Security Office is engaged, if it doesn't the project carries on. Any risks that are identified are added to the project risk registry. The information security office audits the projects regularly to see if the process is working and if its being followed. Awareness training is provided to the project managers.