Security objectives
The security objectives of information security are confidentiality, integrity and availability (the so-called CIA triad), which define the threats against which information and IT systems must be protected.
The security objectives of information security form the conceptual foundation of every information security management system (ISMS). At their core are the three classic objectives of confidentiality, integrity and availability, known by their initials as the CIA triad. Confidentiality means that information is accessible only to authorised people, systems or processes. Integrity ensures that data and systems remain complete, accurate and unaltered and that any manipulation is detectable. Availability ensures that information and IT services are usable whenever authorised users need them.
In practice, further complementary objectives are derived from these core goals depending on the protection requirement. These include, among others, authenticity (the genuineness and verifiability of an identity or source), non-repudiation (an action that has been performed can be demonstrably attributed to its originator), as well as accountability and resilience. The protection requirement is usually classified for each objective during a protection requirement analysis, using categories such as normal, high and very high. This classification then drives the selection and intensity of the technical and organisational measures, for example encryption for confidentiality, checksums and signatures for integrity, or redundancy and backups for availability.
The security objectives are not merely a theoretical model but a point of reference for numerous standards and legal requirements. ISO/IEC 27001 explicitly anchors them as the definition of information security, and the BSI IT-Grundschutz builds its entire methodology upon them. Regulatory requirements such as the NIS2 Directive and DORA likewise require organisations to assess risks with respect to these objectives and to take appropriate measures. A clear definition and prioritisation of the security objectives is therefore a prerequisite for a robust risk assessment, a traceable selection of measures and, ultimately, for demonstrating compliance to supervisory authorities and auditors.
Legal Basis
ISO/IEC 27001, BSI IT-Grundschutz (BSI Standard 200-2), Art. 21 NIS2 Directive (EU) 2022/2555
Practical Example
The information security officer of a mid-sized mechanical engineering company conducts a protection requirement analysis for the design system. She rates the confidentiality of the design plans it contains as very high, because a leak to competitors could threaten the company's existence; the integrity as high, because faulty plans lead to production scrap; and the availability as normal, because short outages are tolerable. On this basis she prioritises the measures: strong access control and encryption for confidentiality, audit-proof versioning for integrity, and a simple backup concept for availability. In this way the security objectives feed directly into concrete and budget-appropriate measure planning.