Security within projects, programmes and portfolios concerns the identification, assessment and mitigation of the risks posed to information, assets and people.


Organisations have a legal and a moral duty to protect their information, assets and people. In the P3 environment this is the responsibility of the P3 manager and the sponsor.

Security is a vital component in building trust with customers and partners whether they be businesses or individuals. It can also be a legal requirement, as in the need to secure confidential data.

It involves many different issues and solutions and requires a systems thinking approach taking into account people, process, technology and governance. Failure to operate in a holistic mode means that security vulnerabilities may be left open to exploitation.

The risks of loss and compromise must be assessed at all key stages of the work, either in the normal course of delivery or when significant change occurs.

Like quality, addressing security at the earliest stages of a project or programme is critical to ensuring that mitigation measures can be developed in as cost effective way as possible and with minimum disruption. In many cases, simple measures taken early can remove the requirement for much more costly and awkward measures later on. Security must be embedded at the concept and definition phases of the life cycle.

The P3 manager and sponsor must:

  • ensure that security goals are identified, meet stakeholder requirements and are integrated with relevant processes;
  • formulate, review and approve the security policy;
  • review the effectiveness of the security policy;
  • provide clear direction and visible management support for security initiatives;
  • provide the resources needed for security;
  • approve the assignment of specific roles and responsibilities for security across the P3 organisation;
  • initiate plans to maintain security awareness.

The approach to security should align with processes such as risk management, health and safety and organisational policy. The required level of security must be achieved without compromising delivery.

Join APM

Sign up to the APM Newsletter.