What Is Information Security (InfoSec)?
Information security (InfoSec) is the practice of protecting information from unauthorized access, use, disclosure, modification, or destruction in order to preserve its confidentiality, integrity, and availability.
A ransomware crew hits a hospital. The attack encrypts the systems that hold patient records, so clinicians cannot reach them and surgeries are delayed: a loss of availability. Before encrypting, the attackers copied the records out to leak them, exposing patient data: a loss of confidentiality. And because no one can fully trust what the malware touched, every affected record is now suspect until verified: a threat to integrity. One incident, three different kinds of harm.
Those three, confidentiality, integrity, and availability, are the whole of information security in one breath. Every security failure is a failure of at least one of them, and every control exists to protect one or more. Information security is the discipline of keeping all three intact for the information an organization depends on.
This guide covers what information security is, the CIA triad at its core, how it differs from cybersecurity and data privacy, its main domains, the threats it defends against, the three types of control, the frameworks that structure it, and how to build the skill. It is written for blue teamers and students building the foundation that the rest of security stands on.
What is information security?
Information security, often shortened to InfoSec, is the practice of protecting information from unauthorized access, use, disclosure, modification, or destruction, in order to preserve its confidentiality, integrity, and availability. That definition is close to the one the US government uses in law: NIST and the Federal Information Security Modernization Act define information security as protecting information and information systems to provide exactly those three properties.
The key word is information, in any form. A customer database, a contract on paper, a conversation, a backup tape, an engineering diagram on a whiteboard: all of it is information an organization may need to protect. InfoSec is broader than any single technology because it is organized around the asset being protected, the information itself, rather than around the systems that happen to hold it.
The stakes are concrete. IBM's 2025 Cost of a Data Breach report put the global average cost of a breach at $4.44 million, down from $4.88 million the year before, the first decline in five years, which the report attributes largely to faster detection and containment. Information security is the discipline whose entire job is to prevent that loss, or to make it small and fast to recover from when prevention fails.
The CIA triad
The CIA triad is the model at the center of information security. It names the three properties every control is trying to protect. The names below follow the precise definitions in US federal law (44 U.S.C. 3552).
- Confidentiality means preserving authorized restrictions on access and disclosure. Only the people and systems that should see information can see it. Encryption, access controls, and multi-factor authentication protect confidentiality. A leaked database is a confidentiality failure.
- Integrity means guarding against improper modification or destruction, and includes authenticity and non-repudiation. Information is accurate, complete, and provably from who it claims. Hashing, digital signatures, and change control protect integrity. A tampered financial record is an integrity failure.
- Availability means ensuring timely and reliable access to and use of information. The people who need it can get it when they need it. Backups, redundancy, and resilience against denial-of-service protect availability. A ransomware lockout is an availability failure.
The triad is also a set of trade-offs, which is why security is engineering and not a checklist. Lock information down hard enough to maximize confidentiality and you can hurt availability, making it slow or difficult for legitimate users to reach. The job is not to maximize one property but to balance all three to fit what the information is worth and how it is used. A public marketing page needs integrity and availability but almost no confidentiality; a patient record needs all three at the highest level.
A hospital makes that trade-off explicit. Patient records are tightly restricted to protect confidentiality, but emergency departments are given "break-glass" access that bypasses the normal restrictions when a life is at stake, deliberately accepting a confidentiality risk to protect availability. Every real control is a decision like that one, made on purpose and weighed against the value of the information, not applied by reflex.
Information security vs cybersecurity vs data privacy
These three terms overlap heavily and get used interchangeably, but they are not the same.
| Term | Focus | Scope |
|---|---|---|
| Information security | Protecting information's confidentiality, integrity, and availability | Information in every form, digital and physical |
| Cybersecurity | Defending systems, networks, and data from digital attacks | Digital systems and the threats against them |
| Data privacy | Proper collection, use, and handling of personal data | The rights and rules around personal information |
Information security is the broadest of the three in terms of medium. It covers a shredded document and a locked filing cabinet as readily as a database, because it is about the information regardless of where it lives.
Cybersecurity is the practice of defending digital systems, networks, and data from attack. It overlaps enormously with information security, the digital part, and is often treated as the part of InfoSec that deals with cyber threats. The difference is emphasis: InfoSec is organized around protecting information, cybersecurity around defending systems from adversaries.
Data privacy is a related but distinct discipline about whether personal data is collected and used appropriately and lawfully, governed by regulations such as GDPR. Security is a precondition for privacy, you cannot keep data private if you cannot keep it secure, but you can secure data perfectly and still misuse it, which is a privacy failure, not a security one.
The domains of information security
Information security is not one thing; it is a set of domains, each protecting the CIA triad at a different layer.
| Domain | What it protects |
|---|---|
| Network security | Data in transit and access to the network |
| Endpoint security | Laptops, servers, and the workstations where data is used |
| Application security | The software and code that handles information |
| Cloud security | Data and workloads in cloud environments |
| Cryptography | Confidentiality and integrity of data through encryption |
| Identity and access management | Who can access what, and proving who they are |
| Physical security | Facilities, hardware, and printed information |
| Incident response and recovery | Detecting, containing, and recovering from incidents |
These are not separate products so much as facets of one goal. Network security protects the information moving across the wire; cloud security protects it in cloud workloads; cryptography protects it whether at rest or in transit. A complete information security program covers all of these, because an attacker only needs one uncovered layer.
The threats information security defends against
The threats are the ways the CIA triad gets broken. The most common:
- Malware and ransomware. Malware steals or destroys information; ransomware attacks availability directly by locking it away, often while exfiltrating it first.
- Phishing and social engineering. Phishing tricks people into surrendering credentials or data, the most common way attackers get in.
- Insider threats. A malicious or careless employee with legitimate access, which technical perimeter controls do not stop.
- Unauthorized access and credential theft. Stolen or weak credentials that let an attacker walk in as a valid user.
- Data leakage. Sensitive information leaving the organization, whether stolen or sent somewhere it should not go, which is why data loss prevention (DLP) exists.
- Denial of service and physical loss. Attacks or events, including a stolen laptop or a failed drive, that take down availability.
Note that several of these target people and process, not technology. Information security has to defend the human and physical layers, not just the digital ones.
The three types of information security control
Every information security control falls into one of three categories. A working program uses all three, because each covers what the others cannot.
| Control type | Examples | What it does |
|---|---|---|
| Technical (logical) | Encryption, firewalls, MFA, EDR, access controls | Enforces security inside systems |
| Administrative (managerial) | Policies, training, risk assessments, access reviews | Governs how people behave and decisions get made |
| Physical | Locks, badges, cameras, secure disposal | Protects the physical assets and facilities |
Technical controls are the ones most people picture: a firewall, encryption, access management enforced in software. Administrative controls are the policies, training, and processes that govern human behavior, and they matter as much as the technology, because most breaches involve a person. Physical controls protect the building, the hardware, and the paper, the layer a purely digital view forgets until a laptop is stolen from a car.
Controls are also classified by what they do: preventive (stop an incident), detective (spot one in progress), and corrective (recover afterward). A mature program layers all of these, defense in depth, so that a single failure does not become a breach.
Frameworks and standards
Information security programs are not built from scratch; they follow established frameworks that codify what good looks like.
- ISO/IEC 27001:2022 is the international standard for an information security management system (ISMS). It is certifiable, an accredited body audits you against it, which is why customers and procurement teams ask for it. Its Annex A defines 93 controls across four themes: organizational, people, physical, and technological.
- NIST Cybersecurity Framework (CSF) 2.0, released in 2024, organizes security around six functions: Govern, Identify, Protect, Detect, Respond, and Recover. It is outcome-based and flexible rather than prescriptive, which makes it a common structure for assessing and improving posture.
- CIS Controls are a prioritized, prescriptive list of safeguards, useful for teams that want a concrete starting checklist rather than a management system.
Many organizations run more than one: ISO 27001 for the formal certification customers require, NIST CSF for the continuous-improvement structure between audits. The control overlap between them keeps the extra effort manageable.
Building an information security program
Tools and frameworks do not make a program. Three things hold it together.
Governance and risk management. Security decisions are risk decisions: you cannot protect everything equally, so you identify what information matters most, what threatens it, and where to spend limited effort. Someone has to own the policy, the risk register, and the accountability. Without governance, controls are bought and never aligned to actual risk. Risk management makes that concrete: rank information by what its loss would cost, then spend first on the controls that reduce the largest risks. A public webpage and a database of medical records should not get the same protection, and making that call deliberately is the core of the discipline.
A current picture of the assets. You cannot protect information you do not know you hold. An inventory of data, systems, and who can access them is the precondition for every control, which is why the NIST CSF puts Identify and Govern first.
People who understand it. The skills gap is real, and most controls fail in the gap between a policy and what people actually do. Training closes part of it; skilled defenders who can run incident response, read a SIEM, and investigate an alert close the rest. The tool surfaces the signal; a person decides what it means.
Getting started with information security
If you are building the foundation, work from the principles outward.
- Internalize the CIA triad. For any system or control, ask which of the three properties it protects and which it might weaken. This is the lens everything else hangs on.
- Learn one framework. Read NIST CSF 2.0 or ISO 27001 and see how the abstract goal becomes concrete functions and controls.
- Map controls to threats. For each common threat, know which technical, administrative, and physical controls reduce it.
- Build hands-on defensive skill. The program is only as good as the people who can detect and respond. Practice real investigations.
The bottom line
Information security is the discipline of protecting the confidentiality, integrity, and availability of information, in every form it takes. The CIA triad is the lens: every threat breaks one of the three, every control defends one or more, and the real work is balancing them against what the information is worth. It spans technical, administrative, and physical controls, it is structured by frameworks like ISO 27001 and NIST CSF, and it is broader than cybersecurity even as the two overlap almost completely in practice.
The constant, as with every part of this field, is the person who can turn the principles into a working defense.
Frequently asked questions
<p>Information security, or InfoSec, is the practice of protecting information from being stolen, changed, or made unavailable. It is built on three goals, known as the CIA triad: keeping information confidential (only the right people see it), intact (it is accurate and unaltered), and available (the people who need it can reach it).</p>
<p>The CIA triad is the core model of information security: confidentiality, integrity, and availability. Confidentiality keeps information from unauthorized disclosure, integrity keeps it from improper modification, and availability keeps it reachable when needed. Every security control protects at least one of these three properties, and most security failures are a breakdown of one of them.</p>
<p>Information security protects information in every form, digital, physical, and spoken, focusing on its confidentiality, integrity, and availability. Cybersecurity is the practice of defending digital systems and networks from attack. They overlap heavily; cybersecurity is often considered the part of information security that deals specifically with cyber threats.</p>
<p>Security controls fall into three categories: technical (logical) controls like encryption, firewalls, and access management; administrative (managerial) controls like policies, training, and risk assessments; and physical controls like locks, badges, and secure disposal. A strong program uses all three together, because each protects against what the others miss.</p>
<p>ISO/IEC 27001 is the international standard for an information security management system (ISMS). It defines the requirements for establishing and running a structured security program and is certifiable, meaning an accredited body can audit an organization against it and issue a certificate. The 2022 version includes 93 controls across organizational, people, physical, and technological themes.</p>
<p>Start by mastering the fundamentals: the CIA triad, the main types of control, and a framework such as NIST CSF or ISO 27001. Then build hands-on defensive skills, detection, investigation, and response, by working realistic intrusions in labs, since most information security roles ultimately need people who can protect and defend systems in practice.</p>