What is CIA in ISMS


C.I.A, a core concept when it comes to Information Security. But what does the C.I.A acronym mean?

Straight to the point, it is referring to the three areas of Confidentiality, Integrity and Availability. If all you are after are those names, then the job of this article done, you can head home now. But if you would like to learn more, keep reading and let's take a slightly deeper dive into the three areas of Confidentiality, Integrity and Availability.

C.I.A is used widely throughout Information Security, so even if you aren't working on an ISMS it is still critical that you fully understand this concept.

CIA Triad

Together the three elements of Confidentiality, Integrity and Availability come together to form what is known as the CIA Triad. A bit like the Power Rangers TV show of the 1990s, they come together to make a greater force. The Aristotle quote of "the whole is greater than the sum of its parts" also comes to mind here.

By referring to the CIA triad as part of your ISMS risk assessment you are forced to take a more holistic view of the security requirements for an asset, avoiding having a single-minded focus on just one or two of the factors.

Depending on which asset you are assessing, you may determine that one, two or all three of the CIA triad need to be protected. On the other hand, in some cases you might not need to worry about any of them at all.

No one part of CIA Triad is "more important" than another. They must all be considered.


Let's kick things off with the "C". Confidentiality.

ISO 27000 defines Confidentiality as the "property that information is not made available or disclosed to unauthorized individuals, entities, or processes".

If there is a negative consequence if your information is seen by anyone and everyone in the whole world, then you have a need to ensure Confidentiality.

Confidentiality examples


Next we will look at the "I". Integrity.

ISO 27000 defines Integrity as the "property of accuracy and completeness".

If there a negative consequence if your information is modified in an unintended way, then you need to ensure integrity.

Integrity examples


Finally, you guessed it (I hope), we will tackle the "A". Availability.

ISO 27000 defines Availability as the "property of being accessible and usable on demand by an authorized entity".

Put extremely simply; does the asset need to work?

Availability examples:


If you have made it this far in the article you are probably now realizing that the C.I.A concept is pretty straight forward, but there are a few little tricks to watch out for too.

When you are paying money for something, or your organization places any other form of value on an asset, it is almost certain that at least part of the CIA Triad will come into play.

Now that you have this understanding, every time that you need to assess an asset, carefully consider which of these three pillars you need to uphold. It may be one, it may be all three. Going into an ISMS risk assessment with knowledge of the CIA triad up your sleeve positions you to better understand the actual risks and consequences that assets present. This ultimately guides you towards an ISMS that is making more informed risk decisions.

Are you confused with some of the terminology used in this article? If so, check out the ISMS list with definitions.