The most important thing in brief:
- Information security protects all of a company's information — digital and analog — through the three protection goals of confidentiality, integrity and availability (CIA triad). IT security is just one part of this.
- Since December 2025, the NIS 2 Implementation Act has been in force and obliges around 30,000 German companies to take specific security measures, reporting requirements and risk management — with personal liability of management.
- Information security cannot be implemented without an up-to-date overview of your own IT landscape. Anyone who does not know their systems, authorizations and data flows can neither assess risks nor react in an emergency.
What is information security?
Information security is the protection of all types of information from dangers and threats. Objective is preventing economic damage and minimizing risks by ensuring confidentiality, integrity, and availability. Contrary to what is often assumed, information security is not limited to firewalls and passwords — it includes organizational, technical, personnel and infrastructural measures in equal measure.
The term deliberately goes beyond pure IT. Information security concerns digital data on servers as well as paper documents in archives, knowledge in the minds of employees or oral agreements in meetings. An example: A food manufacturer's handwritten recipe is just as worthy of protection as its customer database — and Information security requires the same systematic protection approach for both. It is not the medium that is decisive, but the value of the information for the organization.
In practice, information security is based on the international series of standards ISO/IEC 27001 and on BSI IT basic protection. Both frameworks provide methods for designing information security not as an individual measure but as an ongoing process — via a so-called information security management system (ISMS). An ISMS defines responsibilities, systematically assesses risks and ensures that protective measures are regularly reviewed and adjusted.
What are the protection goals of information security?
The three basic values of information security are summarized as the CIA triad after their English name: Confidentiality, Integrity, Availability. Based on ISO 27001, the BSI has set these protection goals as binding framework for any protection needs analysis defined.
confidentiality ensures that information is only accessible to authorized persons. In practice, this means: Who can see which data, and is this properly regulated? Schon an unlocked screen in an open-plan office or an unencrypted email with personal data may violate confidentiality.
At the protection target integrity It is about keeping information accurate and complete. Changes must be comprehensible. If a financial spreadsheet is manipulated without anyone noticing, the integrity is violated — with potentially far-reaching consequences for business decisions and compliance.
availability means that systems and information can be used when they are needed. A ransomware attack that encrypts all files is a classic attack on availability. But also a simple server failure without a functioning backup concept is one of them — and is more common in SMEs than many admit.
There is a tension between these three goals. Anyone who extremely restricts access to data (confidentiality) risks that authorized users are no longer able to work (availability). Information security is therefore always a balancing act in which the weighting depends on the specific protection requirements of the respective information.
In addition to the CIA triad, there are extended protection goals: Authenticity (the authenticity of information can be verified), non-deniability (actions can be attributed to a person) and accountability. These come into play in particular when regulatory requirements such as the GDPR or industry-specific requirements additional verification requirements demand.
What is the difference between information security and IT security?
The terms information security, IT security and cybersecurity are often used synonymously — but they mean different things. This confusion is not harmless: If you don't know the difference, you may be investing in the wrong protective measures.
IT security is a sub-area of information security. It focuses on protecting IT systems: hardware, software, networks and the data stored on them. Firewalls, anti-virus software, patch management, and access controls to digital systems fall under IT security. IT security is technical and primarily addresses digital threats.
Information security includes IT security but goes further. It also includes non-technical measures: access controls to buildings, guidelines for handling confidential documents, training for employees or regulations for meeting rooms where sensitive topics are discussed. Anyone who only operates IT security protects the technology — but not necessarily the information.
One example makes the difference tangible: An organization has a state-of-the-art firewall and encrypted servers. At the same time, confidential contract documents are lying unsecured in a meeting room, and ex-employees still have access to the office building. IT security would be intact — information security would not.
Cybersecurity, in turn, is often understood as a generic term that refers to threats from the digital space, including attacks via networks and the Internet. The distinction between IT security and IT security is fluid — in essence, it is about protection against external cyber attacks. In practice, the boundaries are blurred; more important than the exact definition of the term is the understanding that Information security provides the broadest protection framework and includes all other disciplines.
Why will information security become mandatory in 2026?
You should prove that your organization meets information security requirements by the end of the quarter. The audit is imminent, management is asking about the current risk status — and you know: The documentation is incomplete; the last inventory was taken months ago, and no one can say with certainty whether all permissions still apply. Many IT managers in German-speaking countries are familiar with this scenario — and since 2026, it has affected significantly more companies than ever before.
For many organizations, information security was a purely voluntary measure — nice to have, but not legally enforced. That has fundamentally changed.
Since December 6, 2025, that is NIS 2 Implementation Act in force in Germany. Around 30,000 companies are affected — not only operators of critical infrastructures, but also medium-sized companies with 50 employees or 10 million euros in turnover in 18 sectors. From energy to health and logistics to the manufacturing industry.
The obligations are specific: Set up risk management, report security incidents within 24 hours, secure supply chains, train employees — and register with BSI within three months. The registration period ended on March 6, 2026.
What many IT managers underestimate: Management is personally liable. Section 38 of the new BSI Act requires managing directors and board members to regularly attend cybersecurity training and to monitor the implementation of measures. Violations could result in fines of up to 10 million euros or 2 percent of annual worldwide turnover.
The BSI 2025 situation report also underlines the urgency: An average of 119 new vulnerabilities were discovered per day during the reporting period known in IT systems — an increase of around 24 percent compared to the previous year. Small and medium-sized companies are particularly frequently the targets of ransomware attacks because they often lack the resources for systematic protection.
What has changed in information security in 2025/2026?
The past twelve months have significantly shifted the framework conditions for information security in Germany. What was previously considered best practice is now a legal obligation — and regulators are upgrading.
The NIS 2 Implementation Act not only brings new obligations, but also new supervisory practice. Since January 2026, the BSI reporting portal has been active, through which affected companies report security incidents and process their registration. The regulation is now operational — not just on paper anymore.
At the same time, the BSI is modernizing basic IT protection. Under the project name “Grundschutz++”, the previous set of rules is being converted into a machine-readable format, which enables partly automated compliance checks. The start was planned for January 2026, a transition phase will run until 2029. For companies that have previously worked according to basic IT protection, Does that mean: The methodology is changing, and anyone who does not plan early risks a gap between the old and the new standard.
In the European context, further regulations are tightening the requirements: The Data Act will reach its second stage of application in September 2026, the Cyber Resilience Act sets requirements for the security of connected products, and the GDPR remains an ongoing task. Information security is therefore no longer an isolated IT issue, but a cross-divisional compliance area.
How do you start with information security in your company?
The most common mistake when starting out in information security: wanting too much at once. Anyone who wants to set up an ISMS, seek ISO 27001 certification and implement all BSI components at the same time is blocking themselves.
It makes more sense to take a step-by-step approach that starts with an honest inventory.
You can't assess risks if you don't know which systems you're running, who has access to what, and where sensitive data is stored. Up-to-date, complete IT documentation is not only mandatory for every ISMS — it is a prerequisite for being able to make well-founded security decisions at all. Many companies fail at this point because their documentation is outdated, incomplete, or scattered across dozens of Excel lists.
It is only on the basis of this inventory that the protection requirements analysis follows: What information is essential for your company's survival? What should never fall into the wrong hands, and which systems must be available around the clock? The answers to these questions determine which measures have priority — and prevent you from spending resources on areas that are less critical.
Based on this, you define measures — technical measures such as encryption and access controls, but also organizational measures such as guidelines, training and emergency plans. The BSI IT basic protection offers a tried and tested methodology for this, which is also suitable for organizations that do not yet operate a complete ISMS.
One point is regularly underestimated: Information security doesn't just affect the IT department. Without management as a driver, projects come to nothing. And without trained employees, any technical protection concept remains ineffective — because the human factor is still the most common gateway for security incidents.
Automated inventory solutions such as Docusnap create the necessary transparency here: You capture the entire IT landscape without agents and provide the database that is essential for structural analyses, authorization checks and emergency planning.
