What is the difference between Informationssicherheit and Datensicherheit / Datenschutz?
Informationssicherheit covers ALL information the organisation handles — paper notes, conversations, software state — while Datenschutz (data protection) is specifically about personal data and legal compliance.
* Nested scope: Datenschutz within Datensicherheit within Informationssicherheit. *
| Term | Scope | Driven by |
|---|---|---|
| Informationssicherheit | Any information stored, processed or transmitted by the organisation | ISO 27001, business risk |
| Datensicherheit | Technical protection of data (a subset; engineer's view) | IT controls |
| Datenschutz (Privacy / data protection) | Personal data of customers, employees, citizens | DSG (CH), GDPR/DSGVO (EU), HIPAA (US) |
Don't conflate them: in everyday speech "Datensicherheit" is often used for everything, but in a formal ISMS context they're distinct.
Why this matters in audits:
- A pen-tester finds a leaked customer email → Datenschutz incident (regulatory fines possible).
- A pen-tester finds the leaked board-meeting strategy doc → Informationssicherheit incident (no privacy law, but huge business damage).
Both need protection, but the legal and reporting paths differ.
Tip: Datenschutz ⊂ Informationssicherheit. The privacy officer (DSB) and the CISO often disagree because their KPIs overlap but their constraints don't.
Go deeper:
Information privacy / data protection — the Datenschutz layer: personal-data protection and its legal frameworks (GDPR, national laws).