you're reading...
Cyber Security, Enterprise Risk Management, General, Information Security Governance

What’s the difference between Information Security and Cyber Security?

Few years back, I was presenting my three year Information and Cyber Security Program, to my surprise – not all Information Technology (IT) executives understood Information Security (INFOSEC), much more Cyber Security (CYBERSEC). What are the possible relations between these two fields of security?.

What is INFOSEC?

Let’s find out the definition from widely accepted international standard (ISO:IEC27000 series) of INFOSEC.

ISO:IEC 27000:2009 definition:

2.33 Information security –  preservation of confidentiality, integrity  and availability of information.  Note 1 to entry: In addition, other properties, such as authenticity, accountability, non-repudiation and reliability can also be involved.

SANS Institute, Information Security refers to:

the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.


What about CYBERSEC?

According to ISO/IEC 27032:2012 Information technology — Security techniques — Guidelines for Cyber Security:

“Cybersecurity” or “Cyberspace security” [is], defined as the “preservation of confidentiality, integrity and availability of information in the Cyberspace”

National Initiative for Cybersecurity Career and Studies (NICCS), define as:

The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.

Extended Definition: Strategy, policy, and standards regarding the security of and operations in cyberspace, and encompass[ing] the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure.

Adapted from: CNSSI 4009, NIST SP 800-53 Rev 4, NIPP, DHS National Preparedness Goal; White House Cyberspace Policy Review, May 2009


International Telecommunication Union – ITU Publications X.1205 : Overview of cybersecurity (2008)

Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment. The general security objectives comprise the following: Availability, Integrity, which may include authenticity and non-repudiation, and Confidentiality



Cyber security is a broad practice as some perceives, demanding mastery of a number of unique technical skills and practice from its most effective practitioners. Ensuring that servers, network devices,  intranets, and channels built for data transfer remain protected and accessible to only those authorized.

Information security commonly defined as “the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.” Any point of data storage and transfer is considered to be an “information system”, which means this practice can apply to a wide variety of different environments, including those outside cyberspace sphere.



  1. NATO Cooperative Cyber Defense Center of Excellence
  2. SANS Institute
  3. International Organization for Standardization (ISO)
  4. Center for Cyber and Information Security




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s



Blog Stats

  • 44,045 hits
April 2016
« Feb   Jun »
Follow Daniel Vizcayno's Insights on WordPress.com

Member of The Internet Defense League

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,148 other followers

%d bloggers like this: