• (0)
    ISO-27001-ISO-22301-blog

    ISO 27001 & ISO 22301 Blog

    Where does information security fit into a company?


    Very often, I hear controversial discussions about whether information security is part of IT, or whether it should be separate from it, part of some compliance or risk department, etc.

    But, before we determine who should be handling information security and from which organizational unit, let’s see first the conceptual point of view – where does information security fit into an organization?

    Generally, information security is part of overall risk management in a company, with areas that overlap with cybersecurity, business continuity management, and IT management, as displayed below.

    information_security_inside_organization

    Figure: Relationship between information security, risk management, business continuity, IT, and cybersecurity

    Cybersecurity is basically a subset of information security because it focuses on protecting the information in digital form, while information security is a slightly wider concept because it protects the information in any media.

    The overlap with business continuity exists because its purpose is, among other things, to enable the availability of information, which is also one of the key roles of information security. See also this article: How to use ISO 22301 for the implementation of business continuity in ISO 27001.

    Naturally, information technology plays an extremely important role in information security; so, consequently, there is also an overlapping area; information technology is not only about security, so this is why good part of IT is not related to security.

    Why risk management?

    But, the most important thing is that information security, cybersecurity, and business continuity have the same goal: to decrease the risks to business operations. You may not call it risk management in your day-to-day job, but basically this is what information security does – assess which potential problems can occur, and then apply various safeguards or controls to decrease those risks.

    Some industries have formally recognized information security as part of risk management – e.g., in the banking world, information security belongs very often to operational risk management. My guess is that in the future we will see more and more information security professionals work in the risk management part of their organizations, and information security will tend to merge with business continuity.

    See also this article: Chief Information Security Officer (CISO) – where does he belong in an org chart?

    Security is more than IT

    So, the point is: thinking about information security only in IT terms is wrong – this is a way to narrow the security only to technology issues, which won’t resolve the main source of incidents: people’s behavior.

    If you want your information security to be effective, you must enable it to access both IT and business parts of the organization – and for this to succeed, you will need at least two things: to change the perception about security, and to provide a proper organizational position for people handling security.

    This article is an excerpt from the book  Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your OwnClick here Click here to see what other topics are covered…

    Advisera Dejan Kosutic
    Author
    Dejan Kosutic
    Dejan holds a number of certifications, including Certified Management Consultant, ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, and Associate Business Continuity Professional. Dejan leads our team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related web tutorials, documentation toolkits, and books.