Two things that are often confused with each other: information technology (IT) security and information security. In the age of digitalization, information is usually processed, stored or transported with the help of IT - but information security is often even more analog than we think! In principle, IT security and information security are quite closely linked. A systematic approach is therefore required for effective protection of confidential information as well as IT.
CONTENT
Information security is more than just IT security. It focuses on the entire company. After all, the security of confidential information is not only aimed at data processed by electronic systems. Information security encompasses all corporate assets that need to be protected, including those on analog data carriers such as paper.
"IT security and information security are two terms that are not (yet) interchangeable."
The three essential protection goals of information security - confidentiality, availability and integrity - therefore also apply to a letter containing important contractual documents, which must arrive at its recipient's doorstep entirely in analog form, but nevertheless punctually, reliably and intact, transported by a courier. And these protection goals apply equally to an A4 sheet of paper that contains confidential information but is lying on an unattended desk for anyone to see or is waiting in the copier, freely accessible, for unauthorized access.
Thus, information security has a broader scope than IT security. IT security, on the other hand, refers "only" to the protection of information on IT systems.
ISO 27001: Information yes - but secure!
What do official bodies say? IT security is "a state in which the risks present in the use of information technology due to threats and vulnerabilities are reduced to an acceptable level by appropriate measures. IT security is therefore the state in which confidentiality, integrity and availability of information and information technology are protected by appropriate measures." According to the German Federal Office for Information Security (BSI).
In practice, a different approach is sometimes taken, using the rule of thumb "information security = IT security + data protection". However, this statement, written down as an equation, is quite striking. Admittedly, the issue of data protection under the GDPR is about protecting privacy, which requires processors of personal data to have both secure IT and, for example, a secure building environment - thus ruling out physical access to customer data records. However, this leaves out important analog data that does not require personal privacy. For example, company construction plans and much more.
The term information security contains fundamental criteria that go beyond pure IT aspects, but always include them. Thus, comparatively, even simple technical or organizational measures within the scope of IT security are always taken against the background of appropriate information security. Examples of this can be:
It is obvious that computers and complete IT systems in themselves would not need to be protected. After all, without information to be digitally processed or transported, hardware and software become useless.
The topic of CRITIS: The IT security law focuses on critical infrastructures from various sectors, such as electricity, gas and water supply, transportation, finance, food and health. Here, the main focus is on protecting IT infrastructure against cybercrime in order to maintain the availability and security of IT systems. In particular, today's digitally controlled telecontrol systems must be protected.
These protection goals are at the forefront (excerpt):
What does ISO 27001 say? The globally recognized standard for an information security management system (ISMS), with its derivatives ISO 27019, ISO 27017 and ISO 27701, is called in the current German version:
DIN EN ISO/IEC 27001:2017 - Information technology - Security procedures - Information security management systems - Requirements (ISO/IEC 27001:2013 including Cor 1:2014 and Cor 2:2015).
The title of this important standard makes it clear that IT security plays a major role in information security today and will continue to grow in importance in the future. However, the requirements set out in ISO 27001 are not directly aimed at digital IT systems only. On the contrary:
"Throughout DIN ISO/IEC 27001, "information" is referred to across the board, without exception."
In principle, no distinction is made as to the analog or digital way in which this information is processed or is to be protected.
More valuable knowledge about ISO 27001 can be found HERE.
A successfully implemented ISMS supports a holistic security strategy: it includes organizational measures, security-conscious personnel management, the security of deployed IT structures, and compliance with legal requirements.
Anyone who wanted to could apply the standard requirements of ISO 27001 over a completely analog system and would end up with just as much as someone who applied the requirements to a thoroughly digital system. It is only in Annex A of the well-known ISMS standard, which contains measure objectives and measures for users, that terms such as teleworking or mobile devices appear. But even the measures in Annex A of the standard remind us that there are still analogous processes and situations in every company that must be taken into account with regard to information security.
Anyone who speaks loudly about sensitive topics via smartphone in public, for example on the train, may be using digital communication channels, but their misconduct is actually analog. And anyone who doesn't clean up their desk had better lock their office to maintain confidentiality. At least the former, as one of the most effective single measures for securely protecting information, is usually still done by hand, nor ...
IT security and information security are two terms that are not (yet) interchangeable. Rather, IT security is a component of information security, which in turn also includes analog facts, processes and communication - which, incidentally, is still commonplace in many cases today. However, increasing digitization is bringing these terms ever closer together, so the difference in meaning is likely to become more marginal in the long term.
DQS is your specialist for audits and certifications - for management systems and processes. With 35 years of experience and the know-how of 2,500 auditors worldwide, we are your competent certification partner for all aspects of information security and data protection.
Contact us!
Without obligation and free of charge.
We don't talk about professional competence, we have it: You can expect many years of practical professional experience from all our DQS auditors. Collected in organizations of every size and every industry. With this diversity it is guaranteed that the leading DQS auditor will empathize with your individual company situation and management culture. Our auditors know management systems from their own experience, i.e. they have set up, managed and further developed ISMS themselves - and they know the daily challenges from their own experience. We look forward to talking with you.
Expert and project manager for information security, BSI-KritisV and data protection at DQS. In addition, long-standing auditor for quality and environmental management.
