What Is Information Security?
Before frameworks, certifications, and tools — there are three ideas that everything in cybersecurity traces back to. This page teaches them from first principles.
Information security is the practice of protecting information and the systems that store, process, and transmit it. That's the textbook answer. Here's the practical one:
Information security exists because things that have value can be damaged, stolen, or made unavailable — and we'd prefer they weren't. Every policy, every firewall rule, every incident response plan traces back to that idea.
Three foundational concepts make the rest of the field intelligible. Every major framework, certification, and training program starts with these three things — in roughly this order. Don't worry if the names below are unfamiliar — they're the field's most recognized authorities, and you'll learn what each one does as you progress through the hub.
This isn't a coincidence. These organizations arrived at the same starting point independently because there is no shortcut past understanding what you protect, what protection means, and how you decide what to do about it.
"Information Security" vs "Cybersecurity" — What's the Difference?
You'll hear both terms constantly — sometimes interchangeably, sometimes as if they mean completely different things. The confusion is real and worth addressing early, because understanding the distinction changes how you think about the field.
The Short Answer
Information security is the broader discipline. It covers the protection of information in all forms — digital, physical, verbal. A printed document locked in a filing cabinet is an information security concern. A conversation overheard in a coffee shop is an information security concern. The digital world is only part of the picture.
Cybersecurity is focused on the digital domain — protecting networks, systems, programs, and data from digital attacks. It's a subset of information security, but it's the subset that gets most of the attention (and most of the job titles) because that's where most attacks happen today.
- Physical document protection
- Clean desk policies
- Verbal information controls
- Paper records management
- Personnel security (background checks)
- Information classification (all media)
- Business continuity planning (keeping operations running)
- Regulatory compliance (healthcare, privacy, financial laws)
- CIA Triad as core model
- Risk management
- Access control principles
- Incident response
- Policy and governance
- Security awareness training
- Framework alignment (NIST, ISO)
- Network defense and monitoring
- Malware analysis (studying malicious software)
- Penetration testing (authorized attack simulation)
- Security monitoring tools (SIEM systems)
- Vulnerability scanning (finding weaknesses)
- Application security testing
- Cloud security architecture
- Threat intelligence (tracking attackers)
Why the Terms Are Used Interchangeably
In practice, most organizations and professionals use "cybersecurity" and "information security" as synonyms — and for good reason. The vast majority of information today is digital. Physical-only information security concerns (shredding documents, locking file cabinets) still exist, but they're a shrinking fraction of the work. When someone says "I work in cybersecurity," they almost always mean the same scope as "information security."
The frameworks themselves blur the line. NIST CSF 2.0 is titled a "Cybersecurity Framework" but its Govern and Identify functions cover governance, risk, and policy — classic information security territory. ISO 27001 is titled "Information Security Management Systems" but its Annex A controls include network monitoring, malware protection, and system hardening — core cybersecurity activities.
When the Distinction Matters
The distinction becomes important in specific contexts:
Compliance and regulation — HIPAA's Security Rule explicitly covers electronic protected health information (ePHI), making it a cybersecurity regulation. But HIPAA also has requirements for physical safeguards (facility access, workstation security) and administrative safeguards (workforce training, contingency planning) that are broader information security concerns.
Organizational structure — some companies have a CISO (Chief Information Security Officer) who reports to the CIO and covers all information risk, and a separate cybersecurity team that handles technical operations. Others combine both under one leader. The org chart often determines which term gets used internally.
Academic programs — universities offer both "Information Security" and "Cybersecurity" degree programs. The distinction is often that information security programs lean toward governance, policy, and management, while cybersecurity programs lean toward technical skills, ethical hacking, and defense operations. But there's significant overlap in curricula.
Career certifications — the CISSP (Certified Information Systems Security Professional) covers the broadest scope. CompTIA Security+ is positioned as a "cybersecurity certification" but tests governance and risk concepts too. The NICE Framework (NIST SP 800-181r1) uses "cybersecurity" in its title but maps roles across the full information security spectrum.
We use "cybersecurity" as the primary term because that's what most people search for and how most practitioners describe their work. But the content covers the full information security scope — governance, risk, compliance, and policy alongside technical operations, penetration testing, and detection engineering. When the distinction matters (as in compliance or organizational design), we'll call it out explicitly.
A Brief History of the Terms
Assets — What Are You Protecting?
Before you can secure anything, you have to know what you have. In security, an asset is anything that has value to an organization or individual — and that value is what makes it worth protecting.
ISO 27001 requires asset identification as the first operational step. NIST CSF 2.0's Identify function starts with asset management. The CISSP CBK's Asset Security is Domain 2 — immediately after risk management fundamentals. You cannot assess risk to something you haven't identified.
Types of Assets
Assets aren't just servers and databases. In information security, assets fall into categories that span the entire organization:
Data assets — customer records, intellectual property, financial data, employee information, source code. This is what most people think of when they hear "information security." Data has value, and its unauthorized disclosure, modification, or destruction has consequences.
System assets — servers, workstations, network equipment, cloud infrastructure, applications. These are the things that store, process, and transmit data. If they go down or get compromised, the data they handle is at risk.
People — employees, contractors, partners who interact with systems and data. People are both assets (they create value) and attack vectors (they can be phished, coerced, or make mistakes). Every security framework accounts for the human element.
Processes — the workflows, procedures, and business operations that depend on data and systems. A payroll process, a customer onboarding flow, a code deployment pipeline — these are assets because the business depends on them functioning correctly.
Reputation and trust — less tangible but often the most valuable. A breach doesn't just expose data — it erodes the trust that customers, partners, and regulators place in the organization.
Asset Classification
Not all assets are equal. Classification is how organizations decide which assets need the most protection. A common model:
Public — information intended for open access (marketing materials, public documentation). Minimal controls needed.
Internal — not sensitive, but not meant for public consumption (internal memos, org charts). Basic access controls.
Confidential — sensitive business data (financial reports, contracts, PII). Requires access control, encryption, and monitoring.
Restricted — highest sensitivity (trade secrets, authentication credentials, regulated data). Strictest controls — encryption at rest and in transit, audit logging, need-to-know access.
How Frameworks Govern Asset Management
Asset management isn't just a good idea — it's a mandatory control in every major security framework. Each framework approaches it differently, but they all agree: you can't skip this step.
Each framework assigns numbered IDs to specific security requirements — think of them like section numbers in a law. The IDs below are how practitioners reference specific controls. You don't need to memorize them; they're here to show you how the frameworks handle asset management.
CIS puts it at Control 1. NIST CSF puts it in the Identify function. ISO 27001 makes it an Annex A requirement for scoping the entire management system. NIST 800-53 includes it in every baseline. The message is consistent: asset inventory is not optional, and no framework lets you skip it.
This matters for practitioners because it means the first tangible task in any security program — whether you're a startup or an enterprise — is the same: build and maintain a current, accurate inventory of what you have and what it's worth. Tools like CIS Controls Implementation Groups (IG1/IG2/IG3) then help you decide how sophisticated that inventory needs to be based on your organization's size and resources.
Asset Management in Practice
Understanding asset management at the framework level is important, but it's worth seeing how this plays out in real organizations:
Discovery vs. inventory — asset discovery is the automated process of finding what's on your network (tools like Nmap, Lansweeper, or cloud-native services). Asset inventory is the maintained record with ownership, classification, and business context. Discovery feeds inventory, but they're not the same — a scan tells you what exists; a register tells you what it's worth and who's responsible for it.
The CMDB problem — many organizations maintain a Configuration Management Database (CMDB) that becomes outdated within weeks. CIS Control 1.1 specifically calls for active discovery processes because static inventories decay. This is why CIS distinguishes between "establish" (build the inventory) and "address" (handle unauthorized assets when discovery finds them).
Shadow IT — employees adopt SaaS tools (cloud-based apps like Slack, Dropbox, or Salesforce), spin up cloud instances, and connect personal devices without IT knowledge. These unmanaged assets represent some of the highest risk because they can't be patched, monitored, or included in incident response if they're not known. CIS Control 1.3 requires organizations to identify and handle unauthorized assets specifically.
Data mapping for compliance — regulations like GDPR (the EU's data privacy law, Article 30) and HIPAA (the U.S. healthcare data law, 45 CFR 164.308) require organizations to know where regulated data lives. You can't comply with data protection regulations if you don't know where the data is. Asset classification feeds directly into compliance posture.
If you can't list what you're protecting and how important each thing is, you can't make rational security decisions. You'll either over-protect low-value assets (wasting limited budget) or under-protect high-value ones (inviting breaches that cost multiples of what prevention would have). Asset identification and classification are the foundation that makes every subsequent security decision meaningful — and every major framework makes it mandatory for exactly this reason.
In practice, asset classification is a business conversation, not a technical one. A database's classification depends on what data it holds and what losing it would cost the business — not on its technical specifications. This is why BIA (Business Impact Analysis) is a required exercise in frameworks like NIST SP 800-34 (contingency planning) and ISO 22301 (business continuity): it forces organizations to quantify the actual cost of downtime, data loss, and compromise before deciding how much to spend on protection.
The CIA Triad — What Does Protection Mean?
Once you know what you're protecting, the next question is: protection from what? The CIA Triad defines the three core properties of information that security exists to preserve. Every security control, policy, and incident maps back to one or more of these three. (Modern standards like ISO 27001:2022 also recognize authenticity and non-repudiation as distinct security properties, but CIA remains the foundational model taught across all major certifications.)
Why the Triad Matters Practically
The CIA Triad isn't abstract theory — it's the classification system security professionals use to describe what went wrong, what could go wrong, and what controls exist to prevent it.
When a CISO says "this vulnerability is a confidentiality risk," every practitioner in the room immediately understands: data could be exposed to unauthorized parties. When an IR team classifies an incident as an "integrity violation," it means data was modified — and they need to determine what changed, when, and by whom.
Every security control maps to at least one property:
Encryption protects confidentiality (even if data is stolen, it's unreadable). Hash functions verify integrity (if the hash doesn't match, the data was modified). Redundancy and backups protect availability (if one system fails, another takes over).
These three properties often compete. Stronger confidentiality controls (encryption, access restrictions) can reduce availability (slower systems, more authentication steps). Maximum availability (open access, no authentication) destroys confidentiality. Security professionals constantly balance these trade-offs based on what matters most for each asset.
Risk — How Do You Decide What to Do?
You know what you're protecting (assets) and what protection means (CIA). Now the question is: how do you decide where to spend limited time, money, and attention?
The answer is risk. Risk is the possibility that a threat exploits a vulnerability to cause harm to an asset. It's the lens that turns an infinite list of "things that could go wrong" into a prioritized list of "things we need to address."
(threat capability × vulnerability)
(financial loss, data breach, downtime)
Risk = Likelihood × Impact — the standard formula used by NIST 800-30, ISO 27005, and the CISSP CBK. Likelihood depends on both the threat (who/what could cause harm) and the vulnerability (the weakness they'd exploit). All three factors must be present for risk to exist.
Why Risk Comes Before Tools
This is the mistake most beginners make (and many organizations, too): they start with tools. "We need a firewall. We need a SIEM. We need endpoint detection." But without understanding risk, you don't know which tools matter, how to configure them, or whether they're solving a real problem.
ISC2 makes this explicit — Security and Risk Management is CISSP Domain 1, consistently the most heavily weighted domain on the exam (16% per the 2024 outline). Not network security, not cryptography, not operations — risk management. Because everything else is implementation detail.
What You Do With Risk
Once you've identified a risk, there are four standard responses:
Mitigate — reduce the likelihood or impact by implementing controls. This is the most common response: install a patch, add MFA (multi-factor authentication — requiring more than just a password), encrypt data at rest.
Transfer — shift the financial impact to a third party. Cyber insurance is the most common example. You still have the risk, but someone else absorbs the cost if it materializes.
Accept — acknowledge the risk and choose to do nothing. This is valid when the cost of mitigation exceeds the potential impact — a business decision rooted in the principle that you should never spend $10 to protect a $5 asset. The key is that acceptance must be a documented, conscious decision by someone with the authority to make it — not negligence by someone who didn't know the risk existed.
Avoid — eliminate the risk by removing the asset or activity. If storing credit card numbers creates PCI (Payment Card Industry) compliance risk, you might use a third-party payment processor instead. The risk disappears because the activity no longer exists in your environment.
Note: ISO 27001:2022 uses different terminology for the same concepts — modify (mitigate), transfer (transfer), retain (accept), and avoid. The principles are identical; only the labels differ.
Anderson's Security Engineering frames security as building systems worthy of trust. Bishop frames it around policy and mechanism. The CISSP CBK frames it as risk management applied to information assets. ISO 27001 frames it as a management system. The synthesis: information security is fundamentally about managing risk to assets, where the CIA triad defines what protection means and governance determines how much protection is warranted.
Frameworks Are Risk Management Systems
This is the insight that makes the rest of this hub make sense. NIST CSF, ISO 27001, CIS Controls — these aren't checklists. They're structured approaches to identifying, assessing, and managing risk. The controls they recommend exist because they address specific, common risks. When you understand risk, you understand why the frameworks recommend what they do — and when to deviate from them.
Security Operates Inside a Business
Here's what most security education leaves out: every security decision is ultimately a business decision. You will never have unlimited budget, unlimited staff, or unlimited time. The frameworks above — NIST, CIS, ISO — all acknowledge this. But textbooks and training courses rarely teach it at the foundational level, and that disconnect is where most real-world security programs fail.
This isn't a deficiency. Resource constraints are the defining condition of information security practice. Understanding how business reality shapes security decisions is as foundational as understanding the CIA triad itself.
Phased Implementation — How Frameworks Account for Resource Reality
If frameworks demanded perfect security from day one, no organization could comply. Instead, every major framework builds in a phased implementation model that acknowledges resource constraints as a design parameter — not an excuse.
The clearest example is the CIS Controls Implementation Groups:
NIST CSF uses a similar model with its Implementation Tiers (Tier 1: Partial → Tier 2: Risk Informed → Tier 3: Repeatable → Tier 4: Adaptive). ISO 27001 achieves phasing through the Statement of Applicability, where organizations justify which controls apply to their scope. The principle is the same: start where you are, improve systematically, and scale controls to match actual risk and available resources.
The CIS Controls SME (Small and Medium Enterprise) Companion Guide breaks implementation into three phases that map directly to business capability: Phase 1: Know (asset inventory, understand what you have), Phase 2: Protect (configure defenses, manage access), Phase 3: Prepare (incident response, recovery). Each phase uses free or low-cost tools — CIS explicitly calls out Windows built-in features, open-source scanners, and cloud-native security controls. The point is that resource constraints don't excuse inaction; they shape the implementation path.
Why This Matters at the Foundation Level
Most security training teaches concepts in a vacuum — here's the CIA triad, here's a risk formula, here are controls. Then practitioners enter organizations and discover that budget cycles, headcount limits, competing priorities, technical debt, and organizational politics shape every security decision they'll ever make.
The gap between classroom security and operational security is a business gap. Practitioners who understand that security is a business function — not just a technical one — make better decisions about what to protect first, how to justify investments to leadership, and when "good enough" is the right answer.
This is why the CISSP exam leads with Security and Risk Management (16% weight), not with firewalls or encryption. It's why NIST CSF 2.0 added an entire Govern function in 2024. It's why ISO 27001's first clause of requirements is "Context of the Organization" — understand the business before you design the controls.
Assets, the CIA triad, and risk are the technical foundations. Business context is the operational foundation. Together they form the complete mental model: identify what matters (assets), define what protection means (CIA), assess what could go wrong (risk), and make decisions within the constraints the business provides (governance). Every framework, every pillar, and every tool in this hub operates within that reality.