All engineering organisations have information that they value and that value needs protecting. Within an organisation, some individuals carry formal responsibility for protecting the value of information. Ensuring that the responsible persons within an organisation have appropriate confidence in the security measures, which are protecting the organisation's valuable information, is the realm of information security management.
Why the organisation might value the information will vary from organisation to organisation and from information point to information point. The properties of the information that give it value similarly will vary by organisation and by information point. Some information will be ‘special’ such as knowledge that gives the organisation competitive advantage; and if that information leaks to a competitor, then its value is reduced. Some information may ‘control’ the organisation's processes, and if this controlling information is changed, then its value may be reduced. Some information may relate to external perception of the organisation's ability to function; if external parties perceive this publicity information is not under the control of the organisation, then future opportunities for the organisation may be degraded through loss of trust.
Determining the relationship between the properties of information that give it value, the vulnerability of those properties to degradation, threats that might take advantage of the vulnerability to degradation, and the resultant impact to the organisation when things happen, is the realm of information risk management. Things can be done to reduce the vulnerability, the threat, or the severity of the impact and therefore enhance information security.
Information security management should give those with responsibility for information security, the confidence that things protecting information security are doing what they should. It is about having the strategy, policy, processes, behaviours, and technology, in place and coherently supporting each other.