Understanding ISO 19650-5: security management plan and the appointment of teams

Cyber Security Data Protection Business Technology Privacy concept.
In the concluding instalment of a three-part series on ISO 19650-5, BIM Academy technologist Murillo Piazzi takes a closer look at the security management planning and cross-team collaboration.

While I was still a student of architecture, I remember being fascinated by the story of early 20th century architects. These architects designed whole buildings, from layout to structure, plumbing and electrical systems and then sometimes even visited the construction site to manage the construction work.

I still admire how complete their knowledge of the whole construction process was. For better or for worse, today few people in construction would consider taking a project through all its stages by themselves. Construction has become a fragmented industry with multiple disciplines contributing to the completion of a project. With this fragmentation comes the need to implement processes and technologies to support collaboration between participating teams.

Over the past few years, the implementation of BIM and the associated digitisation of information has been one of the main catalysts for increasing collaboration between delivery teams on projects.

As I have discussed in the previous instalments, this creates challenges from an information security viewpoint as information on buildings and civil engineering works may be more vulnerable. ISO 19650-5, which establishes a security-minded approach to the management of information in BIM-enabled organisations, describes a process to plan for and mitigate the risks associated with the digitisation of information.

“Who needs to have access to this information and for how long? What should they do with this information afterwards?”

Murillo Piazzi

In the previous article, we saw how ISO 19650-5 sets out a security triage process for the prioritisation of information’s sensitivity on projects. If the security triage process indicates that a security-minded approach should be implemented, then we could evaluate the risks associated with the sensitive pieces of information and possible mitigation measures in the security strategy. In this last instalment about ISO 19650-5, I am going to give an overview of what the standard defines as the security management plan and the appointment of teams that will carry out the information security tasks.

The security management plan

At this stage of the ISO 19650-5, the people involved with the process should have a good grasp of the security risks that arise from making information available to others, and the sensitivity of information on the project. They should also have a good knowledge of appropriate and proportionate measures for these risks. With this information to hand, we need to then define policies and processes to implement these mitigation measures across the organisation and project teams.

According to the security-minded approach, these should be recorded in a document called the “security management plan”.

Let’s look at an example of what this entails in practice. If we imagine a project in which certain pieces of information, such as the location of optic cables, power connections, etc., are vital to how the facility works and where the disruption of the activities in this facility could have serious consequences – a data centre, for example. Throughout the project, various teams are collaborating to produce information about plant, equipment and other assets that will be collated on different locations and formats.

Information on the project could potentially contain the location and the types of all maintainable assets in the facility. Having this information readily available in a structured way could enhance operations and maintenance tasks, and have a positive impact on emergency response and completion of service requests.

On the other hand, this is a distilled collection of strategic information that could be used in a wide range of negative ways – anything from causing minor nuisance to wide-scale terrorism.

Therefore, at the security management plan stage, we need to establish the actions needed to secure the sensitive information that will be shared with people within and outside of our organisations. Do we really need to share every detail about strategic infrastructure? Which details can be shared with the wider team, and which should be protected? Who needs to have access to this information and for how long? What should they do with this information afterwards? How will we act if this information is leaked?

These are the types of questions that should be answered as part of the security management plan, which will delineate the tasks for establishing a security-minded approach.

The appointments

“We might have to share sensitive information with teams that are not yet bound contractually to the project. Which steps must be taken for the security management plan to remain effective?”

Murillo Piazzi

It is unlikely that the information security policies, processes and subsequent tasks specified in the security management plan will be carried out by a single organisation or team across the lifecycle of a project. This is where the process described in ISO 19650-5 can deliver real value.

While other information security processes (e.g. ISO 27001) support the definition of information security requirements for individual organisations, the security-minded approach described in ISO 19650-5 repeatedly considers how these requirements will be developed, implemented and monitored across multiple organisations.

The standard has a whole section on how the security requirements established in previous steps should be communicated throughout the pre-appointment, appointment, post-appointment and end-of-appointment stages of a project, as each of these stages has its specificities.

For example, in the pre-appointment stage, we might have to share sensitive information with teams that are not yet bound contractually to the project. Which steps must be taken for the security management plan to remain effective at this stage? In the appointment stage, which clauses should be added to the scope of services of one team or another to allocate security management functions to the delivery teams? Will these functions be inherited by subcontracted teams?

The analysis and definition of the security aspects on appointments conclude the cycle of implementation of the process described in ISO 19650-5. The standard sets out a comprehensive process for addressing one of the most fundamental weaknesses in contemporary information management with BIM, the security aspect, jump-starting it to a position appropriate for the current world.

Arguably, prior to BIM, information was more secure by the simple fact that it was not digitised or structured. However, even then, very few people ever considered the security aspects of the information they were producing and sharing with others. As with many other aspects of the construction industry, BIM just exacerbated something that was not working quite so well.

Now we have the opportunity to get things right and deliver real value to our clients by making their assets more efficient, secure and resilient than ever.

Don’t miss out on BIM and digital construction news: sign up to receive the BIMplus newsletter.

Story for BIM+? Get in touch via email: [email protected]

Latest articles in Explainers