Information assurance is a relatively new business function, but its importance has grown exponentially as the use of computers, the Internet and laptops has become more widespread among businesses of all sizes. Although closely related to information security, the term information assurance is usually employed when the emphasis is on the corporate governance aspects of the field. For example, best practice would include setting up a programme of regular audits of an organisation's information security practices, together with regular review meetings to consider the audit findings and address any issues raised. This type of procedure is in line with quality methodologies within other business functions, such as the recommended auditing process within finance departments.

Although information assurance is a new field, it has grown very rapidly. There are several reasons for this, including the following:

• The ubiquity of computers and networks in businesses today, which have obvious security vulnerabilities.


• The growth in regulatory requirements placed on various industry sectors, such as banking, where compliance in information assurance must be demonstrated.


• The passing of relevant legislation on data protection, freedom of information, and misuse of computing resources.


• The huge advances in technology which have occurred in recent years, principally the spread of the Internet from an academics' plaything to an essential business resource.


• The growth in malicious hacking, and especially the recent proliferation of software which makes it easy even for non-expert users to engage in hacking at a basic level.


• The increasing awareness of cyber-threats among computer users and businesses.


• The growth of corporate governance as a business function, which also affects the standing of information assurance at board level.


• The growth of recognised standards (such as ISO 27001) which codify best practice, and the corresponding need for some businesses to demonstrate compliance with the standard.

Information assurance is sometimes seen purely as a cost, with no benefit. However, when correctly deployed, it can be of great benefit to any organisation. To begin with, a business that takes information security seriously is less likely to experience a security incident that would severely impact on profitability, or, in the worst case, would terminate the business. Less dramatically, an organisation that has set up a well-thought-out information assurance system will find it easier and cheaper to adapt its measures to changes in the security environment, rather than having to re-create its countermeasures from scratch: this can lead to a saving of time and money. Finally, information assurance enables senior management simply to manage the business more efficiently and with more confidence, as it provides them with accurate tools and information about the current state of the business at every point. In short, information assurance is well worth the investment of resources, and has the potential to replay that investment many times over.