What is Information Security?

Picture of electronic devices and a shield with a lock in the middle.

 

If you are a security practitioner, you probably already do information security work every day, even if you do not call it that. If you are an information security implementer, you are likely trying to make that everyday work repeatable and sustainable. Either way, information security is not a product you buy, and it is not just a piece of technology. It is a discipline that protects what matters to

the organization, so it can keep operating, meet its own commitments, and maintain trust in an increasingly competitive environment.

ISO-27000 defines information security as the preservation of confidentiality, integrity, and availability of information. It also notes that other properties, such as authenticity, accountability, non-repudiation, and reliability can be involved. ISO-27001 then takes that concept and turns it into a management system that applies a risk management process, gives confidence to interested parties, and is integrated into the organization’s processes and management structure.

This post explains what information security is, what it is not, and how to think about it in a way that stays useful when you decide to start building your organization’s Information Security Management System (ISMS).

Start with the thing you are trying to protect: Information

Information is not just data in a database. Information is anything that conveys meaning and supports decisions or operations. It can be digital or physical. It can be structured or unstructured. It can exist in many places at once.

Examples that matter in real organizations

  • Customer information, including contracts, orders, invoices, support tickets, and correspondence.
  • Employee information, including payroll, performance records, medical leave documentation, and identity documents.
  • Intellectual property, including designs, source code, research results, and internal know how.
  • Financial information such as forecasts, pricing models, and supplier terms.
  • Operational information such as procedures and run-books, network diagrams, asset inventories, and incident reports.
  • Strategic information such as due diligence reports, mergers, negotiations, and internal communications.

The point is simple, if you are only securing servers or applications, you might still be leaking information through email attachments, shared folders, printed documents, or even conversations in the cafeteria. Good information security starts by understanding where your information is stored, how it is moved around, and who needs access to it.

The CIA triad

The classic foundation of confidentiality, integrity, and availability (CIA).

ISO-27000’s definitions for these three terms are intentionally short, as they must be applicable to every industry and organization regardless of its size. The CIA triad is a durable lens to evaluate what needs protecting and what can go wrong.

So let’s take a brief look at what each of these mean.

Confidentiality

Means information is not made available or disclosed to unauthorized individuals or entities, or processed in an unauthorized way. In practice, failures in confidentiality show up as data breaches, unauthorized access, or information exposures, often through poor configuration or weak handling of information. Think about your medical records in the wrong hands.

Integrity

Is the property of accuracy and completeness. Integrity failures show up when records are altered without authorization, when changes are made without traceability, when systems produce incorrect outputs, or when data is corrupted. A finance report that is wrong can be just as damaging as one that is leaked.

Availability

Is the property of information being accessible and usable on demand by an authorized entity. Availability failures show up as outages, Denial of Service (DoS) attacks, ransomware, misconfigured updates, and single points of failure. For many organizations, availability is the first thing a business notices. The classic example is when a website is no longer working.

A helpful model is to treat the CIA triad as questions you should ask about any important piece of information, such as an asset or a process.

  1. Who should be allowed to see the information, and who must not be allowed to see it?
  2. How do I know the information is complete and accurate?
  3. How do I detect improper changes to the information?
  4. How do I ensure authorized people can use the information when needed, even during a disruption?

ISO-27000 reminds us however that information security is sometimes broader than CIA alone. That matters because organizations increasingly operate in complex ecosystems, where identity, trust, and evidence become just as important as secrecy and uptime.

Authenticity

In simple terms, authenticity is about whether something is what it claims to be. Is this user really the one I think he or she is? Is this system really the one I think it is? Is this email really from the person in the From field? Authenticity is connected to identity and access management and is also connected to supply chain security.

Accountability

Is about being able to associate actions with entities and hold them responsible. If something goes wrong, can you determine what happened? Who did what? And what was affected? Accountability depends on logging, monitoring, and governance, not just on technical controls.

Non-repudiation

Is about preventing an entity from denying an action. This becomes important when dealing with approvals, transactions, and communications. This shows up in digital signatures, audit trails, and controls that preserve evidence.

Reliability

Is about consistent, dependable operation and outputs. If your systems and processes are unreliable, your integrity and availability objectives suffer, and your organization loses trust internally and externally.

You do not need to treat these as separate programs. The point is to recognize when the CIA triad is not enough to describe what the business expects. Many organizations care intensely about proving what happened and demonstrating control, and not just about preventing unauthorized access.

What information security is not

Clarifying what information security is not helps you avoid common traps that derail early efforts.

It is not only cybersecurity.

  • Cybersecurity typically focuses on protecting systems, networks, and digital assets from attacks. Information security includes that, but it also includes people, processes, and physical handling of information.

It is not only compliance.

  • Compliance can be a driver, but compliance alone does not guarantee you are reducing meaningful risk. You can be compliant on paper and still be fragile in practice.

It is not only an IT department responsibility.

  • Information lives in every department. Human Resources, Finance, Sales, Operations, and leadership all create, process, and store information that matters. If information security is treated as an information technology issue, it will never match how the organization actually works.

It is not perfect security.

  • Security is a balance. The goal is to manage risk to acceptable levels, aligned with objectives, while keeping the organization functional.

It is not only about preventing incidents.

  • Prevention matters, but detection, response, and recovery are equally important. Many organizations become stronger not because they never have incidents, but because they handle incidents well, learn, and improve.

Why information security is a management topic

Even before you adopt ISO-27001, it is useful to understand why the standard treats information security as a management system topic rather than a purely technical one.

Organizations make trade-offs constantly. They decide where to invest, what to accept, and what to change. Those trade-offs must align with business objectives and risk appetite. That is a leadership responsibility.

ISO-27001 frames an ISMS as a strategic decision influenced by the organization’s needs and objectives, its security requirements, processes, size, and structure. The standard also expects these factors to change over time. This is a key idea. Information security is not static, and the organization is not static.

This is why management involvement matters:

  • Security objectives must support the business objectives.
  • Risk decisions require authority.
  • Resources must be allocated.
  • Policies must be enforced consistently.
  • Conflicts between security controls and business objectives must be resolved.

If leadership is absent, security becomes either purely reactive, or purely bureaucratic, or both.

Risk is the bridge between security and business reality

ISO-27001 explicitly ties the preservation of confidentiality, integrity, and availability to applying a risk management process. That is not an academic detail. It is how you avoid building controls that do not matter, and how you justify controls that do.

Risk, in information security, is the effect of uncertainty on objectives, and it is usually expressed as a combination of the likelihood of an event and its consequences. In plain language, risk is what could go wrong, how likely it is, and how bad it would be for the organization’s goals.

When you approach information security through risk:

  • You prioritize what matters.
  • You make trade-offs explicit.
  • You can explain security choices to non-specialists, such as management.
  • You can show improvement over time.

Without risk, information security becomes a random collection of controls, and the organization will question the value.

Practical examples, the same idea applied to different contexts

The definition of information security is stable, but its emphasis changes depending on context. Here are a few examples that illustrate how CIA, and the additional properties, show up in real work.

Example 1: A hospital or clinic environment

  • Confidentiality is central because of sensitive patient information and legal obligations.
  • Integrity is critical because incorrect records can harm patients.
  • Availability is critical because outages can affect care delivery.
  • Accountability and reliability matter because evidence of actions and dependable systems are essential in clinical workflows.

Example 2: A software company

  • Confidentiality matters for source code, customer information, and roadmaps.
  • Integrity matters for build pipelines, releases, and configuration.
  • Availability matters for service uptime.
  • Authenticity and non-repudiation matter in approvals and deployments.
  • Accountability matters in access control and change management.

Example 3: A small professional services firm

  • Confidentiality is often the first priority because client trust is everything.
  • Integrity matters for contracts, invoices, and deliverables.
  • Availability matters because downtime kills productivity.

Practical controls often focus on identity, device security, backups, and secure collaboration, not on complex infrastructure.

The point is not to copy controls from another industry. The point is to start from information security properties and risk, then choose what fits.

How to recognize good information security, without obsessing over paperwork

Whether you aim for ISO-27001 certification or not, you can recognize good information security by the behaviour and outcomes it produces:

  • Employees know what information is sensitive and handle it accordingly.
  • Access is intentionally granted, reviewed periodically, and removed if no longer necessary.
  • Important changes are planned, tested, and traceable.
  • Incidents are detected, reported, and remediated in a timely and efficient manner.
  • Disaster recovery procedures are real, tested, and recoveries are practiced.
  • Suppliers are understood and managed, not just purchased.
  • Security is integrated into business processes and not just applied at the end.
  • Leadership can explain security priorities and why they are worth the effort.

This is also what makes the standard so powerful. It asks for a management system that can keep delivering these outcomes as the organization changes.

So now that we have an established understanding from ISO-27000’s definition of information security, and ISO-27001’s management system framing, we now have a foundation to build on. In upcoming posts, we will connect this definition to some of the following posts:

  • Why the ISO-27001 standard is so widely used.
  • How the ISO-27000 family fits together.
  • What an ISMS is, in practical terms.
  • How the clauses of ISO-27001 translate into real organizational practices.
  • How ISO-27001 Annex A provides a structured set of controls.