In ITIL 4, the purpose of the information security management practice is to:
Protect the organization’s information by ensuring confidentiality, integrity, and availability of data, and also covering aspects such as authentication, non-repudiation, and reliability.
Authentication ensures that users or systems are who they claim to be.
Non-repudiation ensures that an action or transaction cannot later be denied by the party that performed it.
These are core topics within information security controls and are explicitly associated with the information security management practice.
Why the other options are incorrect:
Change enablement – Focuses on ensuring that changes are properly assessed, authorized, and managed to maximize value and reduce risk; it does not specifically manage authentication or non-repudiation.
Service configuration management – Ensures that accurate and reliable information about configuration items (CIs) and their relationships is available; it is not primarily about security controls like authentication and non-repudiation.
IT asset management – Manages IT assets to maximize value and control costs and risks; again, not about authentication or non-repudiation as a primary purpose.
Therefore, the practice whose purpose includes managing authentication and non-repudiation is information security management.
