Information Security vs Information Assurance


Getting Started with Information Security
Information Security vs Information Assurance

This course introduces you to the fundamentals of information security. You'll learn what information security is, the difference between information security and information assurance, as well as the fundamentals of information security.

Learning Objectives

  • Get a foundational understanding of information security
  • Understand the difference between information security and information assurance
  • Learn the fundamentals of information security

Intended Audience

This course is intended for anyone who wants to improve their knowledge of risk management in an information security context.


We recommend taking this course as part of the IT Security Fundamentals learning path.


Information Security and Information Assurance. What do we understand about these terms?

Assurance is more the overall strategy for a company. Whereas security is how we're going to go about the strategy. Assurance is definitely more strategy-focused. 

So we see cyber security as the bottom rung of the ladder. When we talk to people, they think that cyber security is information security, but it's not. It's different. Cyber security is technical security. It's the antiviruses, it's the intrusion detection systems, it's your firewalls. It's all of that type of stuff. Just technically focused. It doesn't deal with some of the other stuff we're going to talk about when we get to information security, which consequently is the second rung of the ladder.

Our information security is now where we get to talk about things that are not just technical, but things that are physical. We're talking about not just digital transformation, we're talking about analog information as well, for example, paper-based documents. 

But we're now dealing with people as well. And buildings. And physical security. And all these different areas of security now. So it's not just technical, as we had before, because down in the first rung of the ladder it was all technical. 

But we’re now looking at physical. We are looking at digital and analog. We're looking at people. And all the rest. So, essentially, information in all its different forms. People. Buildings. And all the rest.

It doesn't separate itself from cyber security, it encompasses it. And that's what we're trying to say. We're then building up something that has to give us reason for actually using those things. That is what we would call our risk assessments and our risk management, which is the third rung of the ladder.

So, risk assessments and risk management. This is the area where we're now beginning to really think about the company itself and not just, "Oh we need some antivirus. Ah, we should probably have some CCTV.” Instead now we're doing risk assessments to see what the risks are for our organization and we're then applying the information security and cyber security controls in place as it pertains to our organization. Some things that are risks for you aren't risks for me. Some things that we both recognise as risks don't have the same impacts so the controls that we put in place won't be the same.

For example, we could have two businesses - A and B. The impact for business A is 500,000 pounds. The impact for business B is 500,000 pounds as well. 500,000 pounds will cripple business A. Whereas 500,000 pounds won't cripple business B. So that's when we begin to put controls in place depending on how we react—or wish to react—to the risk.

Here in the fourth rung of the ladder, we have information assurance, and its cousin, information governance: IA and IG. They are two sides of the same coin. Very closely connected.

One is focused on compliance, feeding the information governance: compliance, records management, all of that type of stuff.

One is focused on the assurance that everything we're doing down here is correct, and also that we're in line with the things that our business needs to be in line with. So that's why they can't be separated because information assurance is almost information governance. In fact, the information that we get out of information assurance we feed into information governance to make sure we're compliant, and up to date with all our standards and all the rest.

Here with information assurance, we will do audits. We will do our ISO 27001 frameworks, and get certified through those things. 

Compliance. Are we compliant with our contracts? How does this plan in with our SLAs? So, they all come together. But assurance is the idea that what we're doing here under risk management is actually working. So there has to be a framework or a matrix to feed that information back, so that we get that assurance.

And that's the business side of information security.

At this area here we are now strategic. So these are the board-level decisions. The decisions that are also being made by the board. Not so much risk assessments but the risk management overall, because they'll be responsible for managing risk.

And then this area here, these are gold, if you will... These are silver. And these are our bronze… in terms of the functions that are being served in the organization.

So we find our employees in different sections. So we find this being like middle management. And this is very much our executives. And our C suites.

About the Author
Learning Paths

Originating from a systems administration/network architecture career, a solid part of his career building networks for educational institutes. With security being a mainstay his implementation he grew a strong passion for everything cyber orientated especially social engineering. The educational experience led to him mentoring young women in IT, helping them to begin a cyber career. He is a recipient of the Cisco global cyber security scholarship. A CCNA Cyber Ops holder and elected for the CCNP Cyber Ops program.

Covered Topics