Two things that are often confused with each other: information technology (IT) security and information security. In the age of digitalization, information is usually processed, stored or transported with the help of IT - but often information security is still more analog than we would think! Basically, IT security and information security are quite closely linked. A systematic approach is therefore required for effective protection of confidential information, as well as the IT itself.


IT security vs. information security

Information security is more than just IT security. It focuses on the entire company. After all, the security of confidential information is not only aimed at data processed by electronic systems. Information security encompasses all corporate assets that need to be protected, including those on analog data carriers such as paper.

"IT security and information security are two terms that are not (yet) interchangeable."

Protection goals of information security

The three essential protection goals of information security - confidentiality, availability and integrity - therefore also apply to a letter containing important contractual documents, which must arrive at its recipient's door on time, reliably and intact, transported by a courier, but entirely analog. And these protection goals apply equally to a sheet of paper that contains confidential information, but that is lying on an unattended desk for anyone to see or is waiting in the copier, freely accessible, for unauthorized access.

Thus, information security has a broader scope than IT security. IT security, on the other hand, refers "only" to the protection of information on IT systems.

IT security according to definition

What do official bodies say? IT security is "a state in which the risks present in the use of information technology due to threats and vulnerabilities are reduced to an acceptable level by appropriate measures. IT security is therefore the state in which confidentiality, integrity, and availability of information and information technology are protected by appropriate measures." According to the German Federal Office for Information Security (BSI).

Information security= IT security plus X

In practice, a different approach is sometimes taken, using the rule of thumb "information security = IT security + data protection". However, this statement, written down as an equation, is quite striking. Admittedly, the issue of data protection under the European GDPR is about protecting privacy, which requires processors of personal data to have both secure IT and, for example, a secure building environment - thus ruling out physical access to customer data records. However, this leaves out important analog data that does not require personal privacy. For example, company construction plans and much more.

The term information security contains fundamental criteria that go beyond pure IT aspects but always include them. Thus, comparatively, even simple technical or organizational measures within the scope of IT security are always taken against the background of appropriate information security. Examples of this can be:

  • Securing the power supply to the hardware
  • Measures against overheating of the hardware
  • Virus scans and secure programs
  • Organization of folder structures
  • Setting up and updating firewalls
  • Training of employees, etc.

It is obvious that computers and complete IT systems in themselves would not need to be protected. After all, without information to be digitally processed or transported, hardware and software become useless.

IT security by law, an example from Germany

The topic of CRITIS: The IT security law focuses on critical infrastructures from various sectors, such as electricity, gas and water supply, transportation, finance, food and health. Here, the main focus is on protecting IT infrastructure against cybercrime in order to maintain the availability and security of IT systems. In particular, today's digitally controlled telecontrol systems must be protected.

These protection goals are at the forefront (excerpt):

  • Consideration of IT security risks
  • Creation of IT security concepts
  • Creation of emergency plans
  • Taking general security precautions
  • Control of Internet security
  • Using cryptographic methods etc.

ISO 27001 - The standard for information security

What does ISO 27001 say? The globally recognized standard for an information security management system (ISMS), with its derivatives ISO 27019, ISO 27017 and ISO 27701, is called:

ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection – Information security management systems – Requirements

The revised version was published on October 25, 2022.  The current version (ISO/IEC 27001:2013) will remain valid until October 2025.

The title of this important standard makes it clear that IT security plays a major role in information security today and will continue to grow in importance in the future. However, the requirements set out in ISO 27001 are not directly aimed at digital IT systems only. On the contrary:

"Throughout ISO/IEC 27001, "information" is referred to across the board, without exception."

In principle, no distinction is made as to the analog or digital way in which this information is processed or is to be protected.

For more valuable knowledge on information security and the possibility of an assessment, visit ISO 27001 certification

A successfully implemented ISMS supports a holistic security strategy: it includes organizational measures, security-conscious personnel management, the security of deployed IT structures, and compliance with legal requirements.


Valuable know-how: The DQS Audit Guide

Our audit guide ISO 27001 - Annex A was created by leading experts as a practical implementation aid and is ideal for better understanding selected standard requirements. The guideline is based on ISO/IEC 27001:2017. Since the revised version was published on October 25, 2022, we will add information about the changes as soon as they are available.  

Information security often more analog than we think

Anyone who wanted to could apply the standard requirements of ISO 27001 over a completely analog system and end up with just as much as someone who applied the requirements to a thoroughly digital system. It is only in Annex A of the well-known ISMS standard, which contains measure objectives and measures for users, that terms such as teleworking or mobile devices appear. But even the measures in Annex A of the standard remind us that there are still analog processes and situations in every company that must be taken into account with regard to information security.

Anyone who speaks loudly about sensitive topics via smartphone in public, for example on the train, may be using digital communication channels, but their misconduct is actually analog. And anyone who doesn't clean up their desk had better lock their office to maintain confidentiality. At least the former, as one of the most effective single measures for securely protecting information, is usually still done by hand, so far...

IT Security vs. Information Security - Conclusion

IT security and information security are two terms that are not (yet) interchangeable. Rather, IT security is a component of information security, which in turn also includes analog facts, processes and communication - which, incidentally, is still commonplace in many cases today. However, increasing digitization is bringing these terms ever closer together, so that the difference in meaning will probably become more marginal in the long term.

What you can expect from us

DQS is your specialist for audits and certifications - for management systems and processes. With 35 years of experience and the know-how of 2,500 auditors worldwide, we are your competent certification partner for all aspects of information security and data protection.

gerber-hermsdorf-werner-korall-audit dqs

Do you have any questions?

Contact us!
Without obligation and free of charge.

We don't just talk about professional competence, we have it: You can expect many years of practical professional experience from all our DQS auditors. Collected in organizations of every size and every industry. With this diversity it is guaranteed that your DQS lead auditor will empathize with your individual company situation and management culture. Our auditors know management systems from their own experience, i.e. they have set up, managed and further developed ISMS themselves - and they know the daily challenges from their own experience. We look forward to talking with you.

André Saeckel

Product manager at DQS for information security management. As a standards expert for the area of information security and IT security catalog (critical infrastructures), André Säckel is responsible for the following standards and industry-specific standards, among others: ISO 27001, ISIS12, ISO 20000-1, KRITIS and TISAX (information security in the automotive industry). He is also a member of the ISO/IEC JTC 1/SC 27/WG 1 working group as a national delegate of the German Institute for Standardization DIN.