Often, it is forgotten that the only true aim of information security inside an organisation is to ensure that other core functions of the org are not unduly disrupted. This is because the ultimate aims of those core functions (*in a healthy system!*) are to progress the strategic objectives of an org. Information security and cyber security are ancillary functions (Arguably of the GRC core function), and need to be understood as **means to this strategic end**. > This is your golden rule when communicating with CISO's, CRO's, and other C-people: everything should always be related to risk and impact, and framed inside the strategic objectives that infosec work sits as an ancillary function to. Successfully categorizing information security in this way ensures you can comfortably set information security objectives, and select controls that are proportionate to the organisational risk appetite. In this way, we tether strategic objectives to an information security function. This then justifies the creation of infosec objectives, which then produces a justification for controls and management systems for infosec. ## So make sure you've set clear InfoSec objectives Information Security objectives can almost always derive from the [CIA Triad](https://en.wikipedia.org/wiki/Information_security#Key_concepts) - Which is the triad of ideal conditions we aim to ensure information sits in. These are **confidentiality**, **integrity**, and **availability**. When we set out these objectives we create the mechanism by which we justify new roles, responsibilities, and processes. These IS objectives can be as simple as: --- *The organisation appreciates that the maintenance of Confidentiality, Integrity, and availability as pertaining to information and information systems is integral to the support of the strategic objectives of the organisation. we therefore create the following Information Security Objectives:* 1. To implement, maintain, and continually improve our information security to better protect the confidentiality of our information, including but not limited to sensitive information. 2. To implement, maintain, and continually improve our information security and design to ensure that the integrity of our information and information systems remains unquestionable. 3. To implement, maintain, and continually improve our information security and design to ensure that the data that we rely on - and the people that rely on us, are able to access the data they need in a timely and reliable manner. --- ## ISO agrees with this Still think this is too simple? ISO 27000 itself defines 'Information Security' using the CIA Triad: ISO/IEC 27000:2018, Clause 3: ***Information Security*** Preservation of confidentiality (3.10), integrity (3.36) and availability (3.7) of information When we are directed to produce 'objectives' for information security, we really are only ever being directed to produce objectives relating to the preservation of the CIA Triad. ## Conclusion With these three core aspects of the CIA triad folded into the objectives of the organisation, you have produced the mechanism by which controls and responsibilities can be explained and justified. The CIA Triad is taught as a core part of understanding information security, but should really be seen as the raw materials from which we 'build' (Or more realistically: How we justify the resources for) our information security systems inside an organisation. **They are the handshake between the technical controls in the operational trenches, and the strategic objectives and risk-based discussions in the strategic heavens.**