---

---

Introduction

If you spend more than five minutes in information security, you’ll hear people talk about “CIA”.

No, not the American spy agency. In security, CIA stands for:

• Confidentiality – only the right people can see the information
• Integrity – the information is accurate and trustworthy
• Availability – the information and systems are there when you need them

Together, these three ideas form the CIA triad: a simple but powerful way of thinking about what you’re trying to protect and how.

Almost every security control you put in place – policies, processes, tools, training – ultimately supports one or more of these three goals.

This article walks through each part of the triad in plain English, with examples and practical ways to apply it. At the end, we’ll touch on how the CIA triad underpins ISO 27001.

---

Confidentiality – keeping information out of the wrong hands

Confidentiality is about making sure information is only accessible to people (and systems) that are allowed to see it.

If confidentiality fails, you get:

• Leaked customer data
• Exposed intellectual property
• Private internal discussions suddenly very public

---

Common ways to support confidentiality

1. Access control

Make sure only the right people can access specific data or systems:

• User accounts tied to real individuals
• Role-based access (“Marketing can see X, Finance can see Y”)
• Strong authentication (MFAs, single sign-on, biometrics)
• “Least privilege” – people only get the access they need to do their job

This should be backed by clear policies and joiner/mover/leaver processes.

2. Encryption

Encryption scrambles data so that, even if someone gets hold of it, they can’t read it without the key.

You’ll typically think about encryption:

• In transit – data moving between systems (e.g. HTTPS, VPNs, TLS)
• At rest – data stored in databases, backups, laptops, phones

Done properly, encryption gives you a safety net: a breach of the storage system doesn’t automatically become a breach of the data itself.

3. Data masking and minimisation

• Mask or anonymise data in test and development environments
• Avoid copying full production datasets around “just in case”
• Only collect and keep what you actually need

The less sensitive data you store and expose, the less there is to lose.

4. Network security

• Firewalls, security groups and zero-trust network designs to limit who can reach what
• VPNs or secure tunnelling for remote access
• Intrusion detection / prevention to spot suspicious activity

The Equifax Breach

The 2017 Equifax breach is often cited for exposing personal data for approximately 147 million people. At its heart, it was a confidentiality failure: attackers gained access through an unpatched system, and once inside, the data they found wasn’t encrypted, segmented, or otherwise protected. In other words, one foothold gave them far too much freedom.

The real lesson isn’t “nothing is safe”, but rather:
“If someone does get in, how hard is it for them to read anything useful?”

This is exactly what confidentiality controls aim to influence. Strong access restrictions, sensible segmentation, and basic protective measures such as encryption or tokenisation ensure that a single slip-up doesn’t turn into a catastrophic loss. The breach is often used as a cautionary tale because it shows how one missing control can undermine an entire organisation’s security posture—and why layered confidentiality measures matter just as much as keeping attackers out in the first place.

---

Integrity – trusting what you see

Integrity is about keeping data accurate, complete and trustworthy.

If someone can alter data without permission, or records get corrupted without you noticing, you have an integrity problem. That can lead to:

• Wrong decisions made on bad data
• Financial errors and fraud
• Broken audit trails and compliance issues

---

Common ways to support integrity

1. Change control and approvals

• Formal processes for changing key systems and data structures
• Peer review or approval for high-impact changes
• Clear records of who did what, and when

If critical data can be changed with no oversight, integrity is already at risk.

2. Checksums and hashes

• Generate a hash (a kind of digital fingerprint) for files or data sets
• If the content changes, so does the hash
• Used for verifying downloads, backups and transferred data

It’s a simple way of asking, “Is this exactly what we expected, or has it been tampered with?”

3. Digital signatures

• Prove who created or approved a document or message
• Prove that it hasn’t been altered since it was signed

Widely used in software distribution, contracts, financial transactions and other high-trust areas.

4. Audit logs

• Record access, changes and important actions in systems
• Keep logs protected from tampering
• Review them periodically, and use them when something looks off

Auditors (and incident responders) care a lot about logs – they’re often the only way to reconstruct what actually happened.

5. Validation and error checking

• Input validation on forms and interfaces
• Reasonable bounds and sanity checks (e.g. you can’t have a negative quantity of items in stock)
• Reconciliation between systems (e.g. finance vs sales figures)

These help catch mistakes and inconsistencies before they spread.

The Sony Hack

The Sony Pictures hack in 2014 is often remembered for leaked emails and unreleased films, which were clear breaches of confidentiality. But an equally important part of the story was the integrity damage. Attackers wiped systems, altered data, and disrupted core business operations, leaving teams unsure whether what they were looking at could be trusted. When you can’t rely on your own systems or information, decision-making becomes slow, confused, and risky.

Integrity failures don’t always grab the headlines in the same way data leaks do, but they can quietly undermine an organisation from within. Corrupted files, tampered audit logs, or subtle changes to configuration data may go unnoticed until they cause real harm. This is why integrity controls—such as checksums, versioning, change management, and monitoring—are essential foundations for a stable, trustworthy environment.

---

Availability – being there when it matters

Availability is about making sure information and systems are accessible to authorised people when they need them.

If availability fails, the data might still exist and be accurate, but nobody can get to it. That leads to:

• Outages and downtime
• Missed deadlines and broken SLAs
• Teams unable to work, even though “the data is safe”

---

Common ways to support availability

1. Redundancy and failover

• Multiple servers, power supplies, network links
• High-availability clusters and load balancers
• Secondary data centres or cloud regions

If one component fails, another takes over.

2. Backups and restore testing

• Regular backups of critical data and systems
• Offsite or off-platform copies (not just in the same environment)
• Periodic restore tests to prove you can get data back in a usable way

A backup you’ve never tried restoring from is just a comforting theory.

3. Maintenance and patching

• Regular updates to fix bugs and vulnerabilities
• Hardware refresh and monitoring
• Capacity planning to avoid performance collapse at busy times

Neglected systems have a habit of failing at the worst possible moment.

4. Disaster recovery and business continuity

• Clear plans for what to do in serious incidents (fire, flood, ransomware, major provider outage)
• Defined recovery time objectives (RTO) and recovery point objectives (RPO)
• Knowing which services to bring back first, and in what order

This is the difference between a painful day and a multi-week crisis.

---

The Dyn DDoS Attack

The Dyn DDoS attack in 2016 disrupted major websites such as Twitter, Netflix, and Reddit by overwhelming a key DNS provider with traffic. Crucially, the websites themselves hadn’t all “broken” in a technical sense – their servers and applications were still functioning – but users couldn’t reach them. One critical piece of internet plumbing failed, and availability collapsed across a large portion of the web.

The lesson is clear: availability isn’t just about the resilience of your own kit. It’s also about the essential third-party services you depend on, sometimes invisibly. DNS, hosting providers, cloud platforms, payment gateways – when they go down, you go down with them. That’s why availability planning must include supplier continuity, redundancy, and a realistic understanding of where your single points of failure actually sit.

---

How the three fit together

Confidentiality, integrity and availability don’t live in separate boxes. Changes aimed at improving one can affect the others.

Some typical tensions:

• Strong encryption (confidentiality) can introduce latency or complexity (availability).
• Very strict access controls (confidentiality) can slow down urgent decision-making if nobody can get to the data (availability).
• Intensive validation and checking (integrity) can impact performance (availability).

You can also over-focus on one and neglect the others. Many organisations put almost all their energy into confidentiality (“no leaks”) and end up:

• Trusting data that may be wrong (integrity issues), or
• Having systems that are theoretically secure but chronically unreliable (availability issues)

In reality, you have to decide – for each system and dataset – what the right balance is. A hospital, for example, will put huge emphasis on availability (patients’ lives) and integrity (correct records), while still caring about confidentiality. A bank may tighten integrity and confidentiality even further for financial transactions, sometimes at the cost of a little convenience.

Risk assessment is how you make those trade-offs explicit and defendable.

---

How the CIA triad fits with ISO 27001

ISO 27001 doesn’t use the phrase “CIA triad” on every page, but the whole standard is built around it.

When you:

• Define your scope and information assets
• Assess risks to those assets
• Choose controls from Annex A

…you’re effectively asking:

• Confidentiality – Who could see this who shouldn’t? How bad would that be?
• Integrity – How could this be changed or corrupted? What would that break?
• Availability – What happens if this isn’t there when we need it?

The controls in Annex A map very naturally to the triad:

• Access control, encryption, physical security, supplier management → Confidentiality
• Change management, logging, secure development, backups, anti-malware → Integrity
• Capacity management, redundancy, backup and restore, DR/BCP → Availability

If you’re working towards ISO 27001, the CIA triad makes a handy mental checklist:

• When you describe a risk, say which part(s) of CIA are at stake
• When you choose or review a control, ask which CIA element it supports
• When you design policies and procedures, check you’re not over-optimising one element and accidentally undermining the others

It helps keep things grounded in why you’re doing security, not just “because the standard says so”.

---

Conclusion

The CIA triad – Confidentiality, Integrity, Availability – is simple on paper, but it underpins pretty much everything in information security.

• Confidentiality asks: “Who can see this?”
• Integrity asks: “Can we trust this?”
• Availability asks: “Will this be there when we need it?”

If you keep those three questions in mind whenever you’re designing systems, writing policies, or assessing risks, you’ll make better decisions – and you’ll find ISO 27001 (and other frameworks) much easier to navigate.

The triad isn’t just theory. It’s a practical way of thinking about what really matters in your organisation, and a useful lens to use whenever someone proposes a new control, tool or process:

“Which part of CIA does this help, and what might it cost us in the others?”

Get that balance roughly right, and you’re a long way towards meaningful, not just cosmetic, security.

---