Handheld devices, encryption and mobile working extend information security beyond the office and require their own controls.
Information classification labels each document or dataset by its sensitivity, with the protection applied matching the classification.
Information security risks need to be identified, assessed and treated using a documented register that links each risk to the controls used to manage it.
This section of the Knowledge Base covers managing information security - protecting the information your organisation holds and processes, whether that is customer data, commercial information, intellectual property or staff records. It is UK-focused but written to be useful to readers elsewhere who can apply the same principles under their own local legislation.
The articles are written for the people doing the work - business owners, operations managers, IT managers and information security leads - rather than as academic guides. Each article picks a specific topic, explains the principles, gives practical advice on what to put in place, and points to the alphaZ documents that support that part of the management system.
Information security management is the set of policies, controls and processes an organisation uses to protect the confidentiality, integrity and availability of its information. It applies to information in any form - on servers and laptops, in cloud services, on phones, on paper, in conversations and in the heads of people who work for you.
The scope is broader than IT alone. Information security touches recruitment and leavers, supplier contracts, premises security, working from home, training, incident response and business continuity. A good information security management system pulls all of those threads together rather than treating them as separate concerns.
Most organisations think about information security in terms of the risks they actually face - phishing, malware, lost laptops, data breaches, ransomware, supplier compromise. Working from a documented risk register is the practical way to keep the controls in proportion to the threats.
Information security is not a technology problem with a technology answer. The technology is part of it, but the controls that catch the most risk are about people and process - who has access to what, who is trained to spot a phishing email, who knows what to do when something goes wrong, who is responsible for the cloud services adopted last quarter that nobody told the security team about. Get those right and the technology side is much easier. Get them wrong and even the most sophisticated technology stack will not save you, because attackers go after people, not firewalls.
There is no single piece of UK legislation that covers information security as a whole. Instead, several laws apply depending on the type of information and the type of incident.
The Computer Misuse Act 1990 makes unauthorised access to computer systems a criminal offence and is the main law used to prosecute hackers and insiders who misuse access. The Data Protection Act 2018 and the UK GDPR set out the rules for processing personal data, including the requirement to keep it secure and to notify the Information Commissioner's Office of significant breaches within 72 hours. The Network and Information Systems Regulations 2018 apply to operators of essential services and certain digital service providers, and the Privacy and Electronic Communications Regulations 2003 cover marketing, cookies and electronic messaging.
For most ordinary businesses the day-to-day legal pressure comes from data protection law and from the contractual security requirements imposed by customers. Articles in our Legal and Compliance section cover the data protection side in more detail; this section focuses on the controls that put security into practice.
ISO 27001 is the international standard for information security management systems. It sets out requirements for establishing a documented system, identifying and treating information security risks, implementing a defined set of controls (the Annex A controls), and continually improving the system. Certification is voluntary but is increasingly expected by larger customers and by anyone procuring services that handle their data.
An organisation does not need to be pursuing certification to benefit from the structure ISO 27001 provides. The risk-based approach, the documented controls, the requirement to identify legal obligations and the focus on management review are all useful regardless of whether a certificate is the goal. Detailed guidance on the standard itself sits in our ISO 27001 section.
The information security articles in this section line up directly with the controls auditors look for. Risk register, access control, awareness and training, incident response, supplier management, physical security, business continuity. The detail varies between organisations but the structure is consistent. An organisation that has the basics in place across each of these areas is in a strong position whether or not it is going for ISO 27001 certification.
For organisations new to information security, the practical starting point is to identify what information you hold, where it is, who has access to it, and what would happen if it was lost, leaked or made unavailable. From there a register of risks and controls can be built up, and policies and training added to support the controls.
The articles in this section walk through the main areas to consider, the controls that work in practice, and the alphaZ documents available to support each topic. Information security tends to look more daunting from the outside than it is once the work is broken down into manageable parts.
The biggest mistake we see is organisations trying to do everything at once. The best results come from picking the few areas that carry the most risk and building the controls there before moving on to the rest.