What does a leaked customer database, a tampered financial record, and a system that goes dark at the worst possible moment have in common?
Each one represents a failure to protect one of the three core properties that information security is built around. The CIA Triad of confidentiality, integrity, and availability, is the foundational model that helps organizations understand and address all three. Information security can be understood as the preservation of these three properties, placing the triad at the centre of how an effective Information Security Management System is understood and applied.
Confidentiality
In 2023, attackers exploited weak authentication practices at 23andMe to access user accounts and expose the genetic and personal data of millions of people. It was a stark illustration of what happens when information ends up in the wrong hands. Confidentiality, the principle that information should not be made available or disclosed to unauthorized individuals, entities, or processes, exists precisely to prevent this. In practical terms, this means ensuring that only the right people can access sensitive information such as customer records, contracts, passwords, intellectual property, or internal business plans. Controls such as access management, information classification, encryption, and secure transfer procedures all play a role, and weaknesses in any one of them can be enough to cause serious harm.
Integrity
Keeping information accurate and complete is what integrity is all about. When data is altered without authorization, corrupted through error, or changed in a way that makes it unreliable, integrity has been compromised, and the consequences can be far reaching. The SolarWinds attack in 2020 illustrated this at a frightening scale. Attackers quietly tampered with legitimate software updates, inserting malicious code that was then distributed to thousands of organisations worldwide, many of which had no reason to question an update from a trusted vendor. And that is precisely the point. Organisations make decisions, perform operations, and meet legal or contractual obligations on the assumption that their information is correct. Integrity is therefore not only about preventing malicious tampering, but also about avoiding accidental mistakes, inconsistent records, and uncontrolled changes.
Availability
On 19 July 2024, a single faulty software update pushed by cybersecurity firm CrowdStrike brought millions of Windows systems crashing to a halt across the globe. Airlines grounded flights, hospitals scrambled to maintain operations, and banks went offline, all within a matter of hours. No malicious intent, no stolen data, just systems that could not be used when they were needed most. This is what an availability failure looks like in practice. Information and systems need to be accessible and usable when authorized users need them, and even the most confidential and accurate information is of little value if nobody can get to it. Availability can be threatened by cyberattacks, hardware failures, poor capacity planning, power loss, disasters, or inadequate backup and recovery arrangements, and as the CrowdStrike incident showed, even a routine update delivered by a trusted vendor can become the source of a massive and costly outage.
Conclusion
An effective Information Security Management System brings confidentiality, integrity, and availability together under a single, structured framework. Rather than relying on ad hoc measures or reacting to incidents after the fact, an ISMS provides a way to identify risks, select appropriate controls, and monitor and improve them over time. ISO/IEC 27001 and 27002 describe this as preserving the CIA properties through a combination of policies, processes, procedures, organisational structures, and technical measures. An ISMS does not protect these properties by accident. It does so deliberately, consistently, and with a clear audit trail to prove it.
The three examples in this post, a genetics company exposing the most personal data imaginable, a trusted software vendor unknowingly distributing malicious code to thousands of organisations, and a single update taking down critical infrastructure across the globe, are not edge cases. They are reminders that confidentiality, integrity, and availability are not abstract concepts. They are real, they can fail, and when they do the consequences affect real people and real organisations. Understanding the CIA Triad is not just useful for those working in information security. It is relevant to anyone who relies on information to do their job, make decisions, or serve their customers, which, in today's world, is just about everyone.