Argana Consulting GmbH 
Let's rather talk about how to solve the problems.

Information security objectives versus security objectives

The terms ‘information security objectives’ and ‘security objectives’ are related, but may differ in scope and application depending on the context.

Information security objectives are specifically focused on the protection of information assets, whereas security objectives cover a broader range of security concerns, including physical and operational security. Information security objectives typically form part of an organisation's overall security objectives and focus on the protection of data and information systems.

Security objectives, on the other hand, cover all aspects of protecting an organisation's assets, including people, facilities and operations, in addition to information.

Information security objectives are typically defined in frameworks such as ISO/IEC 27001, which are specifically focused on information security. Security objectives may also be defined in broader frameworks such as ISO 31000 (risk management) or ISO 22301 (business continuity management).

In summary, information security objectives are specifically focused on the protection of information, whereas security objectives cover a broader range of concerns, including but not limited to information security, which deals with the general protection of an organisation's assets.


Information security objectives

Focus on information: Information security objectives specifically address the protection of information assets, including data and the systems that process, store and transmit that data. They are typically aligned with the core principles of information security known as the CIA Triad:

Confidentiality: ensuring that information is only accessible to authorised persons.
Integrity: protecting the accuracy and completeness of information and processing methods.
Availability: Ensuring that authorised users have access to information and associated resources when required 

Example:

  • Protecting sensitive customer data from unauthorised access.
  • Ensuring the availability of critical business systems in the event of a cyber attack.
  • Maintaining the integrity of financial records.

 

The three information security objectives CIA (confidentiality, integrity and availability) are being expanded in many companies and security specifications to include the two information security objectives of authenticity and non-repudiation.

The information security objectives are usually part of an organisation's information security management system (ISMS), which is based on standards such as ISO/IEC 27001.


Security objectives

Security objectives have a broader scope and can include physical security, personnel security, operational security and more. They cover all aspects of securing an organisation's assets, not just information.

Security objectives may include protecting physical assets (such as buildings), ensuring the safety of personnel, securing operational processes and managing the risks associated with various threats (e.g. physical theft, espionage or natural disasters).

Examples:

  • Securing the physical premises against unauthorised access.
  • Ensuring the safety of employees in the workplace.
  • Protecting critical infrastructure from physical and cyber threats.


Security objectives are usually part of a broader risk management strategy or a comprehensive security management system (SMS) that covers several types of security, including physical, personnel and information security.