Although the above-listed phrases may seem similar in meaning, they are not interchangeable. The difference lies in which assets are considered to be protected. The term information security is the broadest category: information is independent of its storage and processing medium, the focus is on the content to be protected. IT security (computer security or cybersecurity) is the part of information security in which information is stored and processed on IT systems. The protection of paper-based information, photos or audio tapes are just a handful of examples that belong to information security, but not to IT security.

Similarly, IT security is a somewhat broader term than data security. Data security focuses on the security (protection from destruction, modification or disclosure) of data. Data that is properly protected may, however, be fairly useless, if it is not accessible to the authorized users. Therefore, IT security covers data security, but also includes the protection of confidentiality, availability and the integrity of the computer systems that store and process the data. From a theoretical point of view, the difference lies in the fact that IT security considers IT systems as assets that require protection, while data security considers the characteristics and operation of IT systems as threats to the data assets. From a practical point of view, the controls to be applied are actually the same.

ISO 27001 is an information security standard, which means that it covers the broadest range of assets and the controls to protect them.