ABSTRACT
This material provides the basis for an introduction of the information security management system (ISMS), which is the foundation of achieving ISO 27001 certification.
. Cornerstones of Information Security Traditional organizational assets are predominantly tangible in the form of property, equipment, buildings, desks, money, or other negotiable assets, like gold. Security concerns were mostly physical, in the form of guards, walls, vaults, and safes. Organizational assets today have added virtual assets like intellectual property in the form of electronic-based media (e.g., word processing files, spreadsheets, and databases). Moreover, negotiable assets are bits on a hard drive and transactions are executed via bit transfers on a network, wired or wireless. Organizational wealth is largely represented by cyber bits; hence, there is a need to protect these assets via information security controls. The traditional view of information security includes the three cornerstones of information security: confidentiality, integrity, and availability, also known as the CIA of information security. Confidentiality, integrity, and availability are security objectives where the intent of confidentiality is to ensure that only authorized personnel may access information or, to the contrary, ensure that information is not disclosed to unauthorized persons or entities (e.g., automated system or service). To ensure integrity is to guard against unauthorized modification or destruction of information, or that the information remains in the format the creator intended. A loss of integrity is the unauthorized modification or destruction of information. Availability ensures information is ready for use. A loss of availability is the disruption of access to or use of information or an information technology. Figure 1.1 illustrates the three cornerstones of confidentiality, integrity, and availability (CIA). FIPS PUB 1993 contains more detail on the three cornerstones of information security.
