Surely everyone knows what information security is, right? Well, not always. We often find that people think information security is just about IT security or privacy. In fact, it’s important to understand how cyber security fits within data protection and the UK GDPR, and the security measures you can take to help support your organisation’s compliance efforts. As such, we thought we’d write a blog covering some of the basics and questions we often get asked about information security.
For an overview of common data protection terms, read our data protection key terms.
What is Information Security?
Information security involves the protection of information from unauthorised access, use, distribution, manipulation, loss, or deletion. It can be any kind of information, from the personal data of customers and employees to private corporate information such as trade secrets and strategic plans.
It applies to information and information systems (which are the IT systems used to store and process data) but the information doesn’t have to be on an IT system. It is about protecting information in all formats including information on paper and information known to people that they could disclose verbally.
This is a wide topic and good information security is as much about policies, training, supplier management, HR security, and other non-technology topics as it is about IT security. It also covers the availability and integrity of information, as covered below. We also have a blog on the role of an information security consultant here.
Increasingly ‘cyber security’ and ‘information security’ are used interchangeably, but this isn’t quite right. Cyber security is a narrower field and is focused on protecting systems, applications, data and assets from internet-based threats. As such, the focus of cyber security is much more technical but policies and awareness also play a key role in good cyber security.
The CIA Triad
Information security is about the protection of the Confidentiality, Integrity and Availability of information. This is often referred to as the ‘CIA’ triad which aims to ensure the following:
Confidentiality: Means that information is not available or disclosed to unauthorised people, entities or processes.
Integrity: Means information is complete and accurate, and protected from corruption.
Availability: Means information is accessible and usable as and when authorised users require it.
In our experience, the importance of confidentiality is well known but integrity and availability are less well understood as information security concepts.
It is becoming more common to also see resilience as a core component of information security but for now the CIA (rather than CIAR) model remains the established definition for information security.
Information Security Management Systems (ISMS)
If you want to demonstrate mature information security management, covering planning, implementation, review and continual improvement of your security measures, then you should consider implementing an Information Security Management System (ISMS). This can sound daunting, but is something that is not a set and forget task, but should be treated as a living thing that evolves as the business grows. Fortunately a good external provider can help to support you in externally managing your ISMS which takes away the heavy lifting for you and your team.
An ISMS is a management system that addresses process, people and technology considerations, the aim being to identify and manage security risks and have steps in place to respond to and address security incidents. You can demonstrate that your ISMS meets a globally recognised standard by certifying it against the ISO 27001: 2022 standard. If you’re unsure what ISO standards are, you’ll find everything you need to know in our ISO standards knowledge hub. You can also download for free, our complete Guide to ISO 27001 here.
Your ISMS will cover far more than just IT or cyber security. The risks and controls it addresses include policies, organisation of information security, HR security, information asset management, supplier security, incident management, business continuity and compliance (as well as technical risks and controls). You will need to address the context of your organisation, your interested parties (customers, employees, shareholders, regulators etc.) and take a formal approach to roles, responsibilities, document management, risk identification, monitoring, auditing, and continual review.
Implementing an effective ISMS can also help demonstrate compliance with laws and regulations such as the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA18), and the Network and Information Systems Regulation (NIS). However, to this point, I would add a cautionary note that your reason for establishing an ISMS should not be based on ensuring regulatory compliance alone. In this case, it runs the ‘risk’ of becoming a box-ticking exercise, rather than improving your overall information security.
Key Considerations when improving cyber security
If you are starting to think about improving information security, our advice is to compare your practices against best practice guidance such as Cyber Essentials, which we recently published a guide on, or 10 Steps to Cyber Security. If you need help to assess your security practices against these we can help.
We recommend you adopt the zero-trust policy. Zero trust is an increasingly common model which, at its simplest, can be summed up in the phrase: “trust no one, verify everyone.”
Don’t just think about IT systems though. These are obviously critically important but think also about the information you hold and its importance to your business – and the impact it could have on your organisation if it was shared with a competitor, fell into the public domain, became unavailable to you, or was changed without authorisation and therefore became unreliable.
The chances are you can’t afford to protect all your information – you likely have ‘crown jewel’ data that warrants a higher level of protection and security investment. This might be intellectual property, customer information, personal data, price lists or source code. As such, remember to identify your information assets and their value to your organisation and/or the impact if they were stolen or corrupted. Key questions to ask include:
- What information do you have?
- Where is it stored or processed?
- Do third parties handle it for you? What are they doing with it?
- Crucially, what would happen if you lost it?
Need help improving your security posture?
If you need help to assess your security posture, improve your controls or implement an ISMS we can help. Wherever you are in this process contact us for a friendly chat.