Information security is the discipline and set of practices focused on protecting information, in any form, from unauthorized access, use, disclosure, modification, or destruction. It applies to digital data, paper records, and other information assets.
Operationally, information security involves:
- Identifying information assets such as systems, data stores, networks, and physical media.
- Assessing risks that could affect the confidentiality, integrity, or availability of those assets.
- Defining and applying controls such as policies, procedures, technical safeguards, and physical protections.
- Monitoring and reviewing the effectiveness of these controls on an ongoing basis.
- Responding to incidents where information is exposed, altered, lost, or made unavailable.
In standards such as ISO 27001, information security is managed through a formal Information Security Management System (ISMS), which provides a structured approach to establishing, implementing, maintaining, and continually improving these practices.