The CIA Triad: The Foundation of Information Security
If you work in tech, data, or anything that involves handling information, you have almost certainly encountered the CIA triad, whether you knew what it was called or not. It is one of the most foundational frameworks in information security, and understanding it is not optional if you are serious about protecting your organisation’s data.
CIA stands for Confidentiality, Integrity, and Availability. Three principles. Each one distinct. Together they form the basis of how we think about securing information.
Confidentiality
Confidentiality is about ensuring that information is only accessible to those who are authorised to see it. This is not just about keeping secrets. It is about access control, data classification, and understanding who should be able to see what, and why.
In practice this means asking: who has access to this data? Should they? Is sensitive information segregated from general access? Are permissions regularly reviewed, or do people accumulate access over time because nobody ever revoked it?
Breaches of confidentiality do not always look like a dramatic hack. Sometimes they look like an employee emailing a spreadsheet to the wrong person. Sometimes they look like a shared drive that grew without governance and now nobody is entirely sure who can see what.
Integrity
Integrity is about ensuring that data is accurate, complete, and has not been altered in an unauthorised way. The data you are working with should be what it says it is.
This matters more than people realise. If your data has been tampered with, corrupted, or degraded in transit and you do not know, every decision you make based on that data is compromised. Integrity failures are particularly dangerous precisely because they are not always obvious. You can continue operating on bad data for a long time before anyone notices.
Controls for integrity include things like checksums, audit logs, version control, and change management processes. The goal is to be able to answer: is this data exactly what it should be, and can I prove it?
Availability
Availability is about ensuring that information and systems are accessible to authorised users when they need them. Having data is not the same as being able to use it.
This principle covers everything from disaster recovery and business continuity planning to basic questions like: do the right people know where the data is? Can they access it when they need to? Is it in a usable format? Availability failures are not always caused by attacks or outages. Sometimes they are caused by poor data management, siloed systems, or simply nobody having documented where anything lives.
Why All Three Matter Together
The triad works as a system. Prioritising one at the expense of the others creates vulnerability.
A system that is highly confidential but never available is useless. Data that is available and confidential but has no integrity controls cannot be trusted. All three must be considered together, and the balance between them will vary depending on the nature of the information and the organisation’s risk appetite.
This is why the CIA triad is not just a theoretical model. It is a practical lens for evaluating your information security posture. When something goes wrong with data, it almost always maps to a failure in one, two, or all three of these areas.
Understanding this framework is the starting point. What you do with it depends on the maturity of your organisation, your risk environment, and how honest you are willing to be about the gaps.