\nVery often, I hear controversial discussions about whether information security is part of IT, or whether it should be separate from it, part of some compliance or risk department, etc.<\/p>\n
But, before we determine who should be handling information security and from which organizational unit, let\u2019s see first the conceptual point of view \u2013 where does information security fit into an organization?<\/p>\n
Generally, information security is part of overall risk management in a company, with areas that overlap with cybersecurity, business continuity management, and IT management, as displayed below.<\/p>\n
![\"information_security_inside_organization\"](\"\/wp-content\/uploads\/\/sites\/5\/2016\/10\/Information_security_inside_organization.png\")
<\/p>\n
Figure: Relationship between information security, risk management, business continuity, IT, and cybersecurity<\/em><\/p>\n Cybersecurity is basically a subset of information security because it focuses on protecting the information in digital form, while information security is a slightly wider concept because it protects the information in any media.<\/p>\n The overlap with business continuity exists because its purpose is, among other things, to enable the availability of information, which is also one of the key roles of information security. See also this article: How to use ISO 22301 for the implementation of business continuity in ISO 27001<\/a>.<\/p>\n Naturally, information technology plays an extremely important role in information security; so, consequently, there is also an overlapping area; information technology is not only about security, so this is why good part of IT is not related to security.
\n