{"id":4863,"date":"2010-03-01T22:00:02","date_gmt":"2010-03-01T22:00:02","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/010\/03\/01\/information-security-or-it-security\/"},"modified":"2024-12-21T14:01:59","modified_gmt":"2024-12-21T14:01:59","slug":"information-security-or-it-security","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2010\/03\/01\/information-security-or-it-security\/","title":{"rendered":"Information security or IT security?"},"content":{"rendered":"<p><em>Update 2014-08-11: The number of controls was updated according to 2013 revision of ISO 27001.<\/em><\/p>\n<p>One would think that these two terms are synonyms \u2013 after all, isn\u2019t information security all about computers?<\/p>\n<p>Not really. The basic point is this \u2013 you might have perfect IT security measures, but only one malicious act done by, for instance, administrator can bring the whole IT system down. This risk has nothing to do with computers, it has to do with people, processes, supervision, etc.<br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><\/p>\n<p>Further, important information might not even be in digital form, it can also be in paper form \u2013 for instance, an important contract signed with the largest client, personal notes made by the managing director, or printed administrator passwords stored in a safe.<\/p>\n<p>Therefore, I always like to say to my clients \u2013 IT security is 50% of information security, because information security also comprises physical security, human resources management, legal protection, organization, processes etc. The purpose of information security is to build a system which takes into account all possible risks to the security of information (IT or non-IT related), and implement comprehensive controls which reduce all kinds of unacceptable risks.<\/p>\n<p>This integrated approach to the security of information is best defined in <a href=\"\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>, the leading international standard for information security management. In short, it requires risk assessment to be done on all organization\u2019s assets \u2013 including hardware, software, documentation, people, suppliers, partners etc., and to choose applicable controls for decreasing those risks.<\/p>\n<p>ISO 27001 offers 114 controls in its Annex A \u2013 I have performed a brief analysis of the controls, and the results are the following:<\/p>\n<ul>\n<li>IT related controls : 37%<\/li>\n<li>controls related to organization \/ documentation: 36%<\/li>\n<li>physical security controls: 13%<\/li>\n<li>legal protection: 4%<\/li>\n<li>controls related to relationship with suppliers and buyers: 5%<\/li>\n<li>human resources management controls: 5%<\/li>\n<\/ul>\n<p>What does all this mean in terms of information security \/ ISO 27001 implementation? This kind of project should not be viewed as an IT project, because as such it is likely that not all parts of the organization would be willing to participate in it. It should be viewed as an enterprise-wide project, where relevant people from all business units should take part \u2013 top management, IT personnel, legal experts, human resource managers, physical security staff, the business side of the organization etc. Without such an approach you will end up working on IT security, and that will not protect you from the biggest risks.<\/p>\n<p><span class=\"notion-enable-hover\" data-token-index=\"0\"><em>To learn more about the development of security controls in your ISO 27001 implementation,<\/em>\u00a0<\/span><a class=\"notion-link-token notion-focusable-token notion-enable-hover\" tabindex=\"0\" href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\" data-token-index=\"1\"><span class=\"link-annotation-unknown-block-id-1092142182\">sign up for a free trial<\/span><\/a><span class=\"notion-enable-hover\" data-token-index=\"2\">\u00a0<em>of Conformio, the leading ISO 27001 compliance software.<\/em><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update 2014-08-11: The number of controls was updated according to 2013 revision of ISO 27001. One would think that these two terms are synonyms \u2013 after all, isn\u2019t information security all about computers? Not really. The basic point is this \u2013 you might have perfect IT security measures, but only one malicious act done by, &#8230;<\/p>\n","protected":false},"author":26,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[277,379,381,424,771],"class_list":["post-4863","post","type-post","status-publish","format-standard","hentry","category-blog","tag-risk-assessment","tag-information-security","tag-iso-27001","tag-controls","tag-it-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4863","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4863"}],"version-history":[{"count":1,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4863\/revisions"}],"predecessor-version":[{"id":103246,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4863\/revisions\/103246"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4863"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4863"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4863"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}