Information security: what it is, its pillars and how to apply it

Resposta direta

Information security is the discipline that protects data and information assets — in any medium, digital or physical — against unauthorized access, improper alteration and unavailability. It is based on the CIA triad (confidentiality, integrity and availability), extended by authenticity and non-repudiation. It is implemented through an Information Security Management System (ISMS) structured on ISO/IEC 27001, NIST CSF 2.0 controls and CIS Controls, and it is a direct requirement for LGPD compliance.

Principais conclusões

  • Information security protects data in any medium — digital, physical or human — through the principles of confidentiality, integrity and availability (the CIA triad), extended by authenticity and non-repudiation.
  • ISO/IEC 27001:2022 is the reference standard for a structured ISMS, with 93 controls across 4 themes; its certification is required in tenders, enterprise contracts and regulated sectors.
  • The LGPD requires technical and administrative measures proportional to the criticality of the personal data processed; the absence of documented controls aggravates ANPD sanctions.
  • The human factor accounts for more than 68% of incidents — MFA, phishing training and a culture of classification drastically reduce risk without major technology investments.
  • Technical controls (encryption, MFA, SIEM, EDR), physical controls (facility access, media destruction) and administrative controls (policies, training, NDAs) are complementary and all necessary.
  • Information classification is the prerequisite of any program: without knowing what exists and how much it is worth, it is impossible to size controls or demonstrate auditable compliance.

Technical definition and scope

Information security is the systematic set of policies, controls, processes and technologies applied to preserve the confidentiality, integrity and availability of an organization's information assets — regardless of whether the data is stored on a server, moving across a network, printed on paper or held in an employee's memory. The discipline stems from a simple premise: information has strategic, operational and legal value, and its compromise generates financial loss, legal liability and reputational damage.

Contrary to common belief, information security is not synonymous with antivirus or firewalls. It is a governance function with an executive owner, a dedicated budget, measurable indicators and a continuous improvement cycle. The ISO/IEC 27001:2022 standard — the international reference — defines the minimum requirements for an Information Security Management System (ISMS) and requires the organization to identify its assets, assess risks, select controls and periodically review the effectiveness of the measures adopted. In Brazil, ABNT NBR ISO/IEC 27001 is the ratified version and serves as the criterion for auditable certification.

It is essential to distinguish information security from cybersecurity, terms frequently used as synonyms but with different scope. Information security is the broader field: it encompasses digital and analog assets, human processes and physical controls. Cybersecurity is a subset focused on protecting computer systems, networks and digital data against cyberattacks. Every cybersecurity program is part of information security, but a complete ISMS goes further — it includes, for example, the protection of printed documents, the management of third parties with access to sensitive information, and the control of physical access to facilities.

The CIA triad and the extended principles

The theoretical and practical foundation of information security is the CIA triad — Confidentiality, Integrity and Availability. Confidentiality ensures that information is accessible only to those with explicit authorization: a customer contract cannot be read by an intern with no need to know it, and health data cannot travel without encryption. Integrity ensures that information has not been altered in an unauthorized way during storage or transit — a tampered audit log or a configuration file modified by malware are integrity breaches. Availability ensures that systems and data are accessible to legitimate users when needed — a denial-of-service (DDoS) attack that takes down a fintech's payment authorization system directly violates this principle.

Beyond the triad, two complementary principles are critical in regulated environments. Authenticity ensures that a user, system or message is genuinely who it claims to be — implemented through multi-factor authentication (MFA), digital certificates and cryptographic signatures. Non-repudiation prevents a party from denying that it performed an action: a user who approves a transfer cannot later claim that the record is false. These two principles are required directly in electronic contracts, in payment systems regulated by the Central Bank, and in digital forensics where the chain of custody must be inviolable.

NIST CSF 2.0 (Cybersecurity Framework, version 2.0, published in 2024) organizes security practice into six functions — Govern, Identify, Protect, Detect, Respond and Recover — that map onto the CIA triad and add the dimension of resilience. An organization that only worries about protecting (confidentiality and integrity) but does not invest in Detect and Respond will be unprepared when an inevitable breach occurs. CIS Controls v8, from the Center for Internet Security, complements this with 18 controls prioritized by impact, starting with asset inventory — you cannot protect what you do not know exists.

Information classification: the treasure map

Before applying any control, the organization needs to know what it is protecting. Information classification is the process of categorizing information assets by level of sensitivity and, consequently, defining which controls apply to each category. ISO/IEC 27001 requires the organization to classify its information assets (Control 5.12 of Annex A in the 2022 version); ISO/IEC 27002:2022 details how to implement this classification.

In practice, most organizations adopt four levels: Public (can be freely disclosed, such as the corporate website), Internal (restricted to employees, but with no critical impact if leaked), Confidential (access limited to specific teams, such as commercial strategies, contracts and financial data) and Secret or Restricted (severe impact if exposed, such as trade secrets, employee health data or investigation information). Each level requires proportional controls: Confidential data must be encrypted at rest and in transit, travel only through secure channels and have audited access; Public documents do not need these safeguards.

Classification has a direct impact on LGPD compliance (Law 13.709/2018). Personal data and, in particular, sensitive personal data — defined in Article 5, item II of the law — require differentiated treatment, with an explicit legal basis, adequate security measures and, in the event of an incident, notification to the ANPD and to data subjects. Without formal classification, the organization cannot demonstrate to the ANPD that it applied the technical and organizational safeguards required by Article 46, exposing itself to sanctions of up to 2% of revenue, capped at BRL 50 million per infraction.

Information Security Management System (ISMS) and ISO 27001

An ISMS — Information Security Management System — is the structured set of policies, procedures, responsibilities and controls that an organization deploys, maintains and continuously improves to manage information security risks. ISO/IEC 27001:2022 is the standard that specifies the requirements of an ISMS and against which organizations can be certified by accredited third-party auditors. ISO 27001 certification is now required in government tenders, contracts with large corporations and, in many regulated sectors, is a tacit market requirement.

The ISMS structure follows the PDCA cycle (Plan-Do-Check-Act): in the Plan phase, the organization defines the scope, identifies risks and selects controls from Annex A of the standard (93 controls organized into 4 themes: organizational, people, physical and technological); in the Do phase, it implements the controls and trains employees; in the Check phase, it conducts internal audits, effectiveness measurements and management reviews; in the Act phase, it corrects nonconformities and improves the system. This cycle must complete at least one full turn per year — external recertification auditors verify exactly this.

Implementing a certifiable ISMS is not trivial. Mid-sized organizations typically take 9 to 18 months to reach sufficient maturity for the initial audit. The effort involves: a gap analysis against the 93 controls; drafting the information security policy and mandatory documents (statement of applicability, risk treatment plan, asset register); deploying technical controls (encryption, access control, monitoring); training employees; and running internal audits before the certification audit. Decripte conducts this entire process — from gap analysis to preparation for the certification audit — for companies of any size.

Technical, physical and administrative controls

Information security controls fall into three complementary categories, and a robust program needs all three. Technical controls are implemented in systems and technologies: encryption of data at rest (AES-256) and in transit (TLS 1.3), multi-factor authentication (MFA), identity and access management (IAM), monitoring via SIEM (Security Information and Event Management), endpoint detection and response (EDR), network segmentation and continuous vulnerability scanning. CIS Controls v8 prioritizes these mechanisms by impact: the first six controls (asset inventory, software, data protection, secure configurations, account management and access control) cover the majority of documented attack vectors.

Physical controls protect the infrastructure where information lives: access control to data centers and server rooms (biometrics, cards, cameras), secure destruction of media (degaussing, certified shredding), clean desk and clean screen policies, and protection against physical disasters (fire, flooding, power failure). In public cloud environments, these controls are the provider's responsibility (AWS, Azure, GCP) under the shared responsibility model — but the organization remains responsible for what runs on top of the infrastructure.

Administrative controls are the policies, processes and human structures: the information security policy, data classification and handling procedures, confidentiality agreements (NDAs) with employees and third parties, the training and awareness program, a formal incident management process, a business continuity plan (BCP) and a disaster recovery plan (DRP). NIST SP 800-53 and ISO/IEC 27002:2022 provide the most complete catalogs of controls with implementation guidance. The effectiveness of any security program depends on the balance between the three categories: a technical control without a policy is a tool without an owner; a policy without a technical control is paper without execution.

Annual security reports — including the Verizon Data Breach Investigations Report (DBIR) — consistently show that more than 68% of incidents involve human error as a primary vector or aggravating factor: reused credentials captured by phishing, files sent to the wrong recipient, misconfigurations due to lack of knowledge, use of public Wi-Fi without a VPN. This does not mean that people are the weak and lazy link — it means that systems are designed in a way that makes the user's natural behavior insecure. A mature program fixes the systems and trains the people.

For any employee, regardless of role, there are practices that drastically reduce personal and organizational risk. Unique, long passwords (minimum 16 characters) managed by a password vault (such as Bitwarden or 1Password), combined with app-based MFA, eliminate the credential stuffing vector. Identifying phishing emails — checking the sender's real domain, not clicking unexpected links, confirming transfer or data-change requests through a separate channel — is the main line of defense against the highest-impact financial attacks. Not mixing personal and corporate devices without controls (MDM) prevents a game or malicious app on a personal phone from becoming the entry point into the company's network.

Classification awareness is equally critical: knowing that a given customer contract is Confidential and therefore must not be sent via personal email, stored in a personal Dropbox or discussed in a meeting with external guests without cause, is information security in practice. CERT.br publishes security booklets and guides for end users aligned with these practices, available free of charge and updated regularly. An effective awareness program — with monthly phishing simulations, short training sessions (microlearning) and improvement indicators — reduces the click rate on simulated phishing from 30–40% (with no training) to less than 5% within 12 months, according to data from KnowBe4 and Proofpoint.

How Decripte implements information security in companies

Decripte is a Brazilian cybersecurity company that serves organizations exclusively — from startups with 1 employee to corporations with more than 100,000 people — in the implementation and ongoing management of information security programs. The scope ranges from the initial gap analysis to preparation for ISO/IEC 27001 certification, covering the implementation of auditable technical controls, LGPD compliance, incident response and team training.

The starting point is always the assessment: a structured gap analysis against the 93 controls of ISO/IEC 27001:2022 and the functions of NIST CSF 2.0, which delivers a precise map of what is already implemented, what is partially in place and what is missing — with risk-based prioritization and a realistic implementation roadmap. From this assessment, Decripte drafts or revises the information security policy, defines the asset classification methodology, implements or strengthens technical controls (MFA, SIEM, EDR, vulnerability management) and establishes the formal incident management process with a documented SLA.

For organizations undergoing LGPD alignment, Decripte integrates the law's requirements into the ISMS: mapping of personal data flows, definition of legal bases, drafting of privacy notices, implementation of technical controls proportional to data criticality and structuring of the ANPD incident notification process. The result is an information security program that not only protects the organization but demonstrates that protection in an auditable way — the difference between having security and being able to prove that you have it, which matters in contracts, in audits and, eventually, in regulatory investigations.

Passo a passo

  1. Conduct a formal gap analysis against the 93 controls of ISO/IEC 27001:2022 and the six functions of NIST CSF 2.0 to map the current state, identify gaps and prioritize actions by risk level.
  2. Define the scope of the ISMS — the business unit, the product or the entire organization — and secure formal sponsorship from senior leadership, without which the program will not advance beyond paper.
  3. Draft the information security policy, the asset classification methodology and the standard's mandatory documents (statement of applicability, asset register, risk treatment plan).
  4. Implement the priority technical controls: multi-factor authentication on all critical systems, encryption of sensitive data at rest and in transit, centralized identity management and log monitoring via SIEM.
  5. Launch the awareness program: classification and best-practice training (at least annually), monthly phishing simulations with immediate feedback and progress indicators reported to leadership.
  6. Run internal audits at least once a year, documenting nonconformities, root causes and corrective action plans — the continuous improvement cycle is the heart of the ISMS and what external auditors verify.
  7. Review the ISMS at least annually or after significant changes in the business, technology or regulatory environment, updating the risk assessment and the statement of applicability to keep the certification valid and the program aligned with operational reality.

Perguntas frequentes

What is the difference between information security and cybersecurity?

Information security is the broader field, which protects data in any medium — digital, physical or human. Cybersecurity is a subset focused specifically on protecting digital systems, networks and data against cyberattacks. A complete information security program includes cybersecurity but goes further: it covers printed documents, physical access controls and third-party management.

What is the CIA triad in information security?

CIA is the acronym for the three fundamental principles: Confidentiality (only authorized people access the information), Integrity (the information is not altered in an unauthorized way) and Availability (systems and data are accessible when needed). These three principles guide the selection of controls in any ISMS and serve as the basis for assessing the impact of incidents.

What is ISO 27001 and why should a company pursue certification?

ISO/IEC 27001 is the international standard that specifies the requirements of an Information Security Management System (ISMS). Certification, issued by accredited third-party auditors, demonstrates that the organization has identified its risks, implemented proportional controls and maintains a continuous improvement cycle. It is required in government tenders, contracts with large corporations and regulated sectors, and it reduces cyber insurance premiums.

Does the LGPD require information security measures?

Yes. Article 46 of the LGPD requires processors and controllers to adopt technical and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful situations. The ANPD may require demonstration of these measures and, in the event of an incident involving personal data, the absence of adequate controls aggravates the sanctions, which reach up to 2% of revenue, capped at BRL 50 million per infraction.

What are the most important controls to start an information security program?

CIS Controls v8 prioritizes: asset inventory (you do not protect what you do not know), vulnerability management, email and browsing protection, access control and multi-factor authentication, and log monitoring. For smaller companies, CERT.br provides free guides aligned with these practices as a starting point before a formal ISMS.

How does information classification relate to data protection?

Classification defines the sensitivity level of each information asset — Public, Internal, Confidential or Restricted — and determines which controls apply. Without classification, the organization treats all data the same way, under-applying controls on critical data or wasting resources on low-risk data. Under the LGPD, sensitive personal data mandatorily require differentiated classification and controls.

Why does phishing remain the main attack vector?

Phishing exploits human behavior, not a technical vulnerability, making it effective even against organizations with robust infrastructure. A single captured credential can compromise the entire network if there is no MFA and segmentation. Awareness programs with periodic simulations reduce the click rate from 30–40% to less than 5% within 12 months, according to market benchmarks.

How long does it take to implement an ISO 27001-certifiable ISMS?

Mid-sized organizations typically take 9 to 18 months between the initial gap analysis and the certification audit. The timeframe varies according to the defined scope (the entire organization or a specific unit), the maturity of existing controls and the speed of senior leadership engagement. A precise assessment at the outset avoids rework and defines a realistic roadmap.

Want to implement an ISMS and ISO 27001 with real technical controls?

Decripte implements information security for companies of all sizes — policies, auditable controls, LGPD/ISO 27001 compliance and incident response. Start free or see the plans.