ISO 27001:2022 Information Security Properties

Information Security Properties

In the context of ISO 27001, “Information Security Properties” is an attribute that helps your organization categorize and manage controls based on the fundamental characteristics they protect: confidentiality, integrity, and availability. These three components, often referred to as the CIA Triad, serve as the foundation for your information security program.

Iso 27001 Information Security Properties

Confidentiality Controls

Control 5.01Policies for information security
Control 5.02Information security roles and responsibilities
Control 5.03Segregation of duties
Control 5.04Management responsibilities
Control 5.05Contact with authorities
Control 5.06Contact with special interest groups
Control 5.07Threat intelligence
Control 5.08Information security in project management
Control 5.09Inventory of information and other associated assets
Control 5.10Acceptable use of information and associated assets
Control 5.11Return of assets
Control 5.12Classification of information
Control 5.13Labelling of information
Control 5.14Information transfer
Control 5.15Access control
Control 5.16Identity management
Control 5.17Authentication information
Control 5.18Access rights
Control 5.19Information security in supplier relationships
Control 5.20Addressing information security within supplier agreements
Control 5.21Managing information security in the ICT supply chain
Control 5.22Monitoring, review and change management of supplier services
Control 5.23Information security for use of cloud services
Control 5.24Information security incident management responsibilities and preparation
Control 5.25Assessment and decision on information security events
Control 5.26Response to information security incidents
Control 5.27Learning form information security incidents
Control 5.28Collection of evidence
Control 5.29Information security during disruption
Control 5.31Identification of legal, statutory, regulatory and contractual requirements
Control 5.32Intellectual property rights
Control 5.33Protection of records
Control 5.34Privacy and protection of PII
Control 5.35Independent review of information security
Control 5.36Compliance with policies and standards for information security
Control 5.37Documented operating procedures
Control 6.1Screening
Control 6.2Terms and conditions of employment
Control 6.3Information security awareness, education and training
Control 6.4Disciplinary process
Control 6.5Responsibilities after termination or change of employment
Control 6.6Confidentiality or non-disclosure agreements
Control 6.7Remote working
Control 6.8Information security event reporting
Control 7.01Physical security perimeter
Control 7.02Physical entry
Control 7.03Security offices, rooms and facilities
Control 7.04Physical security monitoring
Control 7.05Protecting against physical and environmental threats
Control 7.06Working in secure areas
Control 7.07Clear desk and clear screen
Control 7.08Equipment siting and protection
Control 7.09Security of assets off-premises
Control 7.10Storage media
Control 7.12Cabling security
Control 7.13Equipment maintenance
Control 7.14Secure disposal or re-use of equipment
Control 8.01User endpoint devices
Control 8.02Privileged access rights
Control 8.03Information access restriction
Control 8.04Access to source code
Control 8.05Secure authentication
Control 8.07Protection against malware
Control 8.08Management of technical vulnerabilities
Control 8.09Configuration management
Control 8.10Information deletion
Control 8.11Data masking
Control 8.12Data leakage prevention
Control 8.15Logging
Control 8.16Monitoring activities
Control 8.18Use of privileged utility programs
Control 8.19Installation of software on operational systems
Control 8.20Network security
Control 8.21Security of network services
Control 8.22Segregation of networks
Control 8.23Web filtering
Control 8.24Use of cryptography
Control 8.25Secure development lifecycle
Control 8.26Application security requirements
Control 8.27Secure system architecture and engineering principles
Control 8.28Secure coding
Control 8.29Security testing in development and acceptance
Control 8.30Outsourced development
Control 8.31Separation of development, test and production environments
Control 8.32Change management
Control 8.33Test information
Control 8.34Protection of information systems during audit and testing

Integrity Controls

Control 5.01Policies for information security
Control 5.02Information security roles and responsibilities
Control 5.03Segregation of duties
Control 5.04Management responsibilities
Control 5.05Contact with authorities
Control 5.06Contact with special interest groups
Control 5.07Threat intelligence
Control 5.08Information security in project management
Control 5.09Inventory of information and other associated assets
Control 5.10Acceptable use of information and associated assets
Control 5.11Return of assets
Control 5.12Classification of information
Control 5.13Labelling of information
Control 5.14Information transfer
Control 5.15Access control
Control 5.16Identity management
Control 5.17Authentication information
Control 5.18Access rights
Control 5.19Information security in supplier relationships
Control 5.20Addressing information security within supplier agreements
Control 5.21Managing information security in the ICT supply chain
Control 5.22Monitoring, review and change management of supplier services
Control 5.23Information security for use of cloud services
Control 5.24Information security incident management responsibilities and preparation
Control 5.25Assessment and decision on information security events
Control 5.26Response to information security incidents
Control 5.27Learning form information security incidents
Control 5.28Collection of evidence
Control 5.29Information security during disruption
Control 5.31Identification of legal, statutory, regulatory and contractual requirements
Control 5.32Intellectual property rights
Control 5.33Protection of records
Control 5.34Privacy and protection of PII
Control 5.35Independent review of information security
Control 5.36Compliance with policies and standards for information security
Control 5.37Documented operating procedures
Control 6.1Screening
Control 6.2Terms and conditions of employment
Control 6.3Information security awareness, education and training
Control 6.4Disciplinary process
Control 6.5Responsibilities after termination or change of employment
Control 6.7Remote working
Control 6.8Information security event reporting
Control 7.01Physical security perimeter
Control 7.02Physical entry
Control 7.03Security offices, rooms and facilities
Control 7.04Physical security monitoring
Control 7.05Protecting against physical and environmental threats
Control 7.06Working in secure areas
Control 7.08Equipment siting and protection
Control 7.09Security of assets off-premises
Control 7.10Storage media
Control 7.11Supporting utilities
Control 7.12Cabling security
Control 7.13Equipment maintenance
Control 8.01User endpoint devices
Control 8.02Privileged access rights
Control 8.03Information access restriction
Control 8.04Access to source code
Control 8.05Secure authentication
Control 8.06Capacity management
Control 8.07Protection against malware
Control 8.08Management of technical vulnerabilities
Control 8.09Configuration management
Control 8.13Information backup
Control 8.15Logging
Control 8.16Monitoring activities
Control 8.17Clock Synchronization
Control 8.18Use of privileged utility programs
Control 8.19Installation of software on operational systems
Control 8.20Network security
Control 8.21Security of network services
Control 8.22Segregation of networks
Control 8.23Web filtering
Control 8.24Use of cryptography
Control 8.25Secure development lifecycle
Control 8.26Application security requirements
Control 8.27Secure system architecture and engineering principles
Control 8.28Secure coding
Control 8.29Security testing in development and acceptance
Control 8.30Outsourced development
Control 8.31Separation of development, test and production environments
Control 8.32Change management
Control 8.33Test information
Control 8.34Protection of information systems during audit and testing

Availability Controls

Control 5.01Policies for information security
Control 5.02Information security roles and responsibilities
Control 5.03Segregation of duties
Control 5.04Management responsibilities
Control 5.05Contact with authorities
Control 5.06Contact with special interest groups
Control 5.07Threat intelligence
Control 5.08Information security in project management
Control 5.09Inventory of information and other associated assets
Control 5.10Acceptable use of information and associated assets
Control 5.11Return of assets
Control 5.12Classification of information
Control 5.13Labelling of information
Control 5.14Information transfer
Control 5.15Access control
Control 5.16Identity management
Control 5.17Authentication information
Control 5.18Access rights
Control 5.19Information security in supplier relationships
Control 5.20Addressing information security within supplier agreements
Control 5.21Managing information security in the ICT supply chain
Control 5.22Monitoring, review and change management of supplier services
Control 5.23Information security for use of cloud services
Control 5.24Information security incident management responsibilities and preparation
Control 5.25Assessment and decision on information security events
Control 5.26Response to information security incidents
Control 5.27Learning form information security incidents
Control 5.28Collection of evidence
Control 5.29Information security during disruption
Control 5.30ICT readiness for business continuity
Control 5.31Identification of legal, statutory, regulatory and contractual requirements
Control 5.32Intellectual property rights
Control 5.33Protection of records
Control 5.34Privacy and protection of PII
Control 5.35Independent review of information security
Control 5.36Compliance with policies and standards for information security
Control 5.37Documented operating procedures
Control 6.1Screening
Control 6.2Terms and conditions of employment
Control 6.3Information security awareness, education and training
Control 6.4Disciplinary process
Control 6.5Responsibilities after termination or change of employment
Control 6.7Remote working
Control 6.8Information security event reporting
Control 7.01Physical security perimeter
Control 7.02Physical entry
Control 7.03Security offices, rooms and facilities
Control 7.04Physical security monitoring
Control 7.05Protecting against physical and environmental threats
Control 7.06Working in secure areas
Control 7.08Equipment siting and protection
Control 7.09Security of assets off-premises
Control 7.10Storage media
Control 7.11Supporting utilities
Control 7.12Cabling security
Control 7.13Equipment maintenance
Control 8.01User endpoint devices
Control 8.02Privileged access rights
Control 8.03Information access restriction
Control 8.04Access to source code
Control 8.05Secure authentication
Control 8.06Capacity management
Control 8.07Protection against malware
Control 8.08Management of technical vulnerabilities
Control 8.09Configuration management
Control 8.13Information backup
Control 8.14Redundancy of information processing facilities
Control 8.15Logging
Control 8.16Monitoring activities
Control 8.18Use of privileged utility programs
Control 8.19Installation of software on operational systems
Control 8.20Network security
Control 8.21Security of network services
Control 8.22Segregation of networks
Control 8.23Web filtering
Control 8.24Use of cryptography
Control 8.25Secure development lifecycle
Control 8.26Application security requirements
Control 8.27Secure system architecture and engineering principles
Control 8.28Secure coding
Control 8.29Security testing in development and acceptance
Control 8.30Outsourced development
Control 8.31Separation of development, test and production environments
Control 8.32Change management
Control 8.34Protection of information systems during audit and testing

Overview of the Information Security Properties Attribute

The Information Security Properties attribute centers on classifying each control by the element of security it supports. Controls that protect data in your organization are typically designed with one or more of the following goals in mind:

  • Preserving confidentiality to ensure that sensitive information is accessible only to authorized users.
  • Maintaining integrity so that your data remains accurate and unaltered except by authorized processes or individuals.
  • Ensuring availability so that information and assets are available when needed by those with the right to access them.

Tagging controls with these properties, you can sort, filter, and analyze your security approach from multiple perspectives. For instance, if your organization faces strict regulations around personal data handling, you may be more focused on controls that preserve confidentiality. On the other hand, if your operations rely heavily on real-time data, you may place a higher priority on availability. This attribute-based view helps you quickly identify gaps, overlaps, and priorities.

Breaking Down the Three Key Information Security Properties

The Information Security Properties attribute in ISO 27001 refers to the three elements—confidentiality, integrity, and availability—that every control should address. These elements form the basis of what is commonly referred to as the CIA Triad


Confidentiality

Confidentiality ensures that only authorized personnel, processes, and systems can access sensitive information. If unauthorized individuals gain access to data, your organization may face data breaches, regulatory penalties, or reputational harm. Adopting controls that preserve confidentiality is critical for meeting legal obligations, maintaining customer trust, and protecting intellectual property.

Concepts for Confidentiality

  1. Access Control
    • Restricts entry to systems, networks, and data resources.
    • Common techniques include role-based access control (RBAC) and mandatory access control (MAC).
  2. Encryption
    • Transforms readable data into an unreadable format (ciphertext) that can only be decrypted with the correct key.
    • Often used for data at rest (e.g., database encryption) and data in transit (e.g., TLS for secure web connections).
  3. Least Privilege
    • Allocates the minimum level of access necessary for a user or process to perform its function.
    • Mitigates risk by reducing the potential damage from compromised accounts.

Measures for Confidentiality

  • Implement strong user authentication methods (e.g., multi-factor authentication).
  • Conduct regular training sessions so that employees understand how to handle sensitive data.
  • Assign data classification labels (e.g., public, internal, confidential) to documents, applications, and databases.
  • Monitor and log system access to detect unauthorized activities in real time.

Confidentiality Table

AspectDescriptionExample ControlsCommon ThreatsPotential Impacts
Identification & AuthenticationEnsures entities accessing systems are who they claim to be– User IDs and passwords
– Multi-factor authentication
– Stolen credentials
– Phishing attacks
– Unauthorized data access
– Credential misuse
Authorization & Access ControlLimits system privileges and data visibility to approved users– Role-based access control
– Least privilege policies
– Insider threats
– Privilege escalation
– Data exfiltration
– Privacy violations
Data Handling & ClassificationUses labels to define sensitivity and implement controls accordingly– Data classification policy
– Secure disposal methods
– Mishandling of data
– Oversharing
– Legal non-compliance
– Reputational damage
Encryption & Secure TransportProtects data at rest and in transit from unauthorized viewing– Disk encryption
– Secure Sockets Layer/Transport Layer Security
– Man-in-the-middle attacks
– Eavesdropping
– Information disclosure
– Compromised communications

Integrity

Integrity preserves the accuracy, completeness, and consistency of data and systems. It prevents unauthorized alterations that could compromise operational effectiveness, undermine business decisions, or cause compliance violations. Integrity also includes ensuring that any changes made to data or configurations are traceable.

Concepts for Integrity

  1. Version Control
    • Manages multiple versions of documents, source code, or system configurations.
    • Simplifies audits and rollback processes when errors or unauthorized changes occur.
  2. Checksums and Hashing
    • Generates a unique fingerprint for files or messages.
    • Any alteration, even minor, changes the checksum or hash, signaling potential tampering.
  3. Audit Trails
    • Tracks actions taken on systems and data.
    • Helps identify who made changes, when they were made, and which information was affected.

Measures for Integrity

  • Implement robust change management processes to control and document software and hardware modifications.
  • Maintain secure backup routines and regularly test restoration procedures.
  • Use digital signatures or cryptographic checksums to detect and prevent unauthorized changes to critical files.
  • Enforce separation of duties so that no single individual can alter data without oversight.

Integrity Table

AspectDescriptionExample ControlsCommon ThreatsPotential Impacts
Change ManagementEnsures that all modifications to systems or data follow a formal process– Documented approvals
– Version control systems
– Unapproved changes
– Outdated patches
– System instability
– Data corruption
Data Validation & VerificationValidates data inputs and checks them against expected formats or ranges– Input validation scripts
– Checksums or parity checks
– Data injection
– Malicious file manipulation
– Faulty analytics
– Inaccurate or misleading reporting
Audit Logging & MonitoringRecords events that affect data or systems for later review– Centralized logging solutions
– Security Information and Event Management (SIEM)
– Log tampering
– Unnoticed internal misuse
– Difficulty investigating incidents
– Non-compliance with regulations
Digital Signatures & Integrity ControlsDetects any modification to critical information or transactions– Digital signature software
– Cryptographic hash functions
– Integrity attacks
– Unauthorized modifications
– Invalid business transactions
– Compromised data authenticity

Availability

Availability ensures that information, systems, and related services are accessible to authorized users without undue delay. Disruptions to availability can interrupt business operations, lead to financial losses, and harm your organization’s reputation.

Concepts for Availability

  1. Redundancy & Failover
    • Provides backup systems or infrastructures that activate automatically if the primary system fails.
    • Minimizes downtime and maintains service continuity.
  2. Backups & Recovery
    • Stores copies of data in secure, offsite or cloud-based repositories.
    • Facilitates prompt restoration of information in case of data corruption or disaster.
  3. Capacity Planning
    • Analyzes system usage trends and forecasts future resource requirements.
    • Prevents service degradation by ensuring hardware and software scalability.

Measures for Availability

  • Create and test business continuity and disaster recovery plans that outline how to restore critical operations.
  • Monitor performance metrics to identify bottlenecks or hardware failures.
  • Use load balancing and clustering solutions to spread workloads across multiple systems.
  • Conduct periodic drills to validate the effectiveness of recovery strategies and staff readiness.

Availability Table

AspectDescriptionExample ControlsCommon ThreatsPotential Impacts
Redundancy & FailoverEmploys backup resources to take over if primary systems fail– Clustering
– High-availability servers
– Power outages
– Hardware failures
– Service interruptions
– Revenue loss
Backup & RecoveryRegularly copies data to secure locations to restore in emergencies– Automated backup scheduling
– Offsite or cloud backups
– Ransomware
– Data corruption
– Permanent data loss
– Prolonged operational downtime
Business Continuity Planning (BCP)Defines procedures to maintain or quickly resume critical functions– Incident response plans
– Disaster recovery exercises
– Natural disasters
– Significant IT outages
– Failure to meet SLAs
– Damage to customer trust
Capacity & Performance MonitoringEnsures systems can meet current and future demands– Resource usage monitoring
– Scalability testing
– Network congestion
– Unexpected traffic spikes
– Slow service response
– Customer dissatisfaction

Mapping Controls to the CIA Triad with the ISO 27002:2022 Controls Spreadsheet

Implementing and managing controls in line with confidentiality, integrity, and availability becomes more straightforward when you have a clear resource that shows the relationship between each control and the CIA Triad. The ISO 27002:2022 Controls Spreadsheet provides a comprehensive list of ISO 27002:2022 controls and maps them to the relevant properties of confidentiality, integrity, and/or availability.

Features of the Spreadsheet:

  • Complete Control List: Identifies each ISO 27002:2022 control, making it simpler to confirm you have covered all required areas.
  • CIA Triad Indicators: Shows which of the three properties a specific control supports. Some controls will address more than one area.
  • Filter and Sort: Lets you quickly filter controls by confidentiality, integrity, or availability, helping you focus on the properties most important to your organization.
  • Status Tracking: Includes columns where you can note the current status of each control and your next steps for implementation or improvement.

Using this spreadsheet helps you visualize your existing coverage against the three critical properties. It allows you to spot potential gaps—such as missing availability controls or insufficient measures for maintaining data integrity—and to adjust your risk treatment plan accordingly. The resource also streamlines internal discussions about control priorities by providing a unified view that everyone on your team can reference.


CIA Triad Summarizing

Each of the three Information Security Properties—confidentiality, integrity, and availability—addresses a specific dimension of protecting your organization’s data and systems. It is common for controls to overlap across properties. For instance, an access control solution may primarily address confidentiality while also supporting integrity by preventing unauthorized changes. Recognizing these interdependencies helps you create a more resilient and adaptable security environment.

Practical Application in Risk Management

Risk management in the context of ISO 27001 involves a systematic process for identifying, analyzing, and addressing threats that can affect the confidentiality, integrity, and availability of your organization’s information assets. By integrating the Information Security Properties (CIA Triad) into each stage of risk management, you can develop a more focused and effective Information Security Management System (ISMS). Below is a detailed look at how to apply the CIA Triad across the four key phases of risk management.


Overview of the Risk Management Process

  1. Risk Identification
    Determine potential threats that could compromise any of the three Information Security Properties.
    Identify vulnerabilities in your processes, systems, and personnel that might lead to incidents.

  2. Risk Analysis
    Evaluate the likelihood and impact of each identified risk, particularly how it may affect confidentiality, integrity, and/or availability.
    Prioritize risks based on the severity of potential outcomes.

  3. Risk Treatment
    Design, select, and implement controls aligned with the CIA properties that address each high-priority risk.
    Establish an action plan to mitigate or accept each risk, documenting the rationale and decisions.

  4. Implementation and Monitoring
    Deploy chosen controls, monitor their effectiveness, and make necessary adjustments.
    Maintain continuous improvement by collecting metrics, performing reviews, and refining your strategy.

These phases align with ISO 27001 requirements for managing information security risks and demonstrating due diligence. It is useful to maintain a clear audit trail at each step, demonstrating which threats were identified, how they were analyzed, and which controls were implemented.


Breakdown of Each Phase

Below is a table summarizing the practical application of each phase, along with how you can incorporate the Information Security Properties.

PhaseActivitiesCIA FocusDocuments / ToolsCommon Challenges
Risk Identification– List threats that could exploit known vulnerabilities.
– Catalog information assets by type, location, and sensitivity.
– Determine which properties (C, I, A) might be affected.
– Confidentiality: Potential data leaks
– Integrity: Unapproved data modifications
– Availability: System outages or disruptions
Asset inventory
– Threat library
ISO 27001:2022 Risk Assessment Template
– Incomplete threat analysis
– Overlooking certain asset types
– Underestimating the scope of vulnerabilities
Risk Analysis– Assign likelihood and impact scores for each identified risk.
– Correlate which risks affect confidentiality, integrity, or availability.
– Rank risks according to their severity.
– Confidentiality: High impact for sensitive data
– Integrity: Damage to key financial systems
– Availability: Critical service outages
– Risk register
– Rating criteria for likelihood and impact
– Workshops with stakeholders
– Subjective scoring
– Lack of consistent impact metrics
– Difficulty in cross-department collaboration
Risk Treatment– Select existing or new controls to reduce risk to acceptable levels.
– Determine if controls target confidentiality, integrity, and/or availability.
– Formulate a Statement of Applicability (SoA).
– Confidentiality: Use of encryption, access controls
– Integrity: Change management, audit logs
– Availability: Backup solutions, failover
– Control selection guidelines
ISO 27001:2022 SoA Template
– Action plan for mitigating identified risks
– Selecting overly broad or insufficient controls
– Managing resource constraints
– Balancing control costs vs. risk reduction
Implementation & Monitoring– Deploy chosen controls and integrate them into operational processes.
– Continuously track control effectiveness and make improvements.
– Update documentation, logs, and SoA as controls evolve.
– Confidentiality: Ongoing access reviews
– Integrity: Regular integrity checks
– Availability: Monitoring resource utilization
– Security monitoring system
– Periodic audits
– Metrics and KPIs for control performance
– Failure to adapt to changing threats
– Neglecting continuous improvements
– Inconsistent monitoring across departments

How the CIA Triad Informs Risk Management

  1. Confidentiality in Risk Management
    You can segment your network and apply tighter access controls to assets that store personal or financial data.
    Prioritize risks that could expose sensitive information, such as insufficient encryption or weak authentication methods.

  2. Integrity in Risk Management
    Focus on mechanisms for detecting and preventing unauthorized alterations to data, source code, or system configurations.
    Identify high-impact scenarios (e.g., tampering with product designs or financial records) and implement verification protocols.

  3. Availability in Risk Management
    Mitigate service outages that could harm business continuity by building redundancy and maintaining well-documented recovery plans.
    Regularly test backups and failover processes to confirm that your organization can recover quickly from an incident.


Templates for Optimizing Your Process

Using templates you can structure your risk management activities more effectively, track control decisions, and maintain clear documentation that satisfies auditor requirements.

  1. ISO 27001 Risk Assessment Template
    Provides a structured approach for identifying and analyzing risks in your organization.
    Helps document threat details, assign impact and likelihood, and maintain consistency across different business units.

  2. ISO 27001:2022 SoA Template
    Facilitates the creation of a Statement of Applicability (SoA), a required document in ISO 27001 that lists which controls you have selected and why.
    Clarifies the rationale for excluding any controls and how each chosen control helps protect confidentiality, integrity, and availability.


Continuous Improvement and Review

Even the best risk management plan requires regular updates to stay relevant. Security challenges shift, business operations change, and new vulnerabilities emerge. Consider scheduling reviews of your risk register and SoA at least annually, or whenever major changes occur in your environment. During these reviews:

  • Check if the controls continue to address identified risks adequately.
  • Update risk ratings if likelihoods or impacts have changed.
  • Evaluate if you need new or additional controls to maintain desired levels of confidentiality, integrity, and availability.

Such a proactive stance promotes a culture of continuous improvement and upholds the principles of ISO 27001.

Other ISO 27001 Control Attributes

Besides Information Security Properties, ISO 27001 also introduces four other attributes that allow you to view and categorize controls from additional perspectives. These attributes—Control Type, Cybersecurity Concepts, Operational Capabilities, and Security Domains—are considered generic enough to be used by organizations of various sizes and sectors. By selecting any combination of these attributes, you can build customized “views” of your information security controls that align closely with your risk priorities and operational focus.

Below is an overview of each attribute:


Control Type

Viewing your controls by Control Type helps you balance preventative, detective, and corrective strategies. This approach ensures you do not overly rely on any single method of protection and can respond effectively if preventive measures fail. Control Type categorizes each control based on how and when it influences the risk of an information security incident:

  • Preventive: Designed to stop an incident from occurring in the first place.
  • Detective: Activated when an incident happens, aiding in immediate discovery.
  • Corrective: Implemented after an incident has taken place to restore or fix the affected systems.

Cybersecurity Concepts

Attribute helps you understand how your controls contribute to a broader cybersecurity framework. It also aids in prioritizing initiatives, especially when aligning with best practices or industry-specific guidelines. Cybersecurity Concepts aligns each control with high-level security functions described in ISO/IEC TS 27110. The five functions are:

  • Identify: Recognizes assets, threats, and vulnerabilities.
  • Protect: Applies measures to secure information and systems.
  • Detect: Discovers security incidents and anomalies.
  • Respond: Coordinates actions to contain or mitigate impacts.
  • Recover: Restores normal operations following an incident.

Operational Capabilities

Operational Capabilities offers a practitioner-focused view of controls. It categorizes controls based on specific information security capabilities, such as:

  • Governance
  • Asset Management
  • Information Protection
  • Human Resource Security
  • Physical Security
  • System and Network Security
  • Application Security
  • Secure Configuration
  • Identity and Access Management
  • Threat and Vulnerability Management
  • Continuity
  • Supplier Relationships Security
  • Legal and Compliance
  • Information Security event Management
  • Information Security Assurance

Attributes can map security requirements to operational teams (e.g., IT operations, HR, legal) more efficiently. Each group can then focus on the controls directly relevant to their scope.


Security Domains

Looking at controls by Security Domains can clarify executive reporting and strategic planning. This higher-level grouping makes it easier to communicate your security posture in terms of broad functional areas. Security Domains categorizes controls under four high-level domains of information security:

  • Governance and Ecosystem: Encompasses governance frameworks, risk management, and stakeholder interactions (internal and external).
  • Protection: Covers IT security architecture, IT administration, identity management, maintenance, and physical security.
  • Defence: Focuses on intrusion detection, threat intelligence, and incident management.
  • Resilience: Centers on business continuity, crisis management, and maintaining operations under adverse conditions.

Templates Facilitating Control Implementation

Applying the right controls, and systematically documenting how each measure supports one or more of the Information Security Properties. You may find the following templates useful to integrate the Information Security Properties attribute into your organization’s ISO 27001 ISMS framework:

  1. CIA Impact Assessment Template
    Helps you evaluate how a potential threat could affect the confidentiality, integrity, and availability of information assets. Included in our Risk Assessment Template.

  2. Risk Treatment Plan Template
    Guides you in linking each identified risk to assigning a control or set of controls to mitigate that risk. Utilize our Risk Assessment Template which facilitates the Risk Treatment Plan.

  3. Control Mapping Worksheet
    Provides a mapping with each selected control to the property (confidentiality, integrity, availability) it supports. The ISO 27002:2022 controls list provides an overview and maps them to the relevant properties

  4. Data Classification Policy Template
    Outlines guidelines for classifying and handling data according to confidentiality requirements, ensuring consistent treatment of sensitive information across your organization.

Conclusion

Focusing on Information Security Propertiesconfidentiality, integrity, and availability—gives your organization a clear, structured way to address the core requirements of ISO 27001. Mapping each control to the element of the CIA Triad it supports, you create a transparent view of your overall security strategy and can readily identify critical gaps or overlaps. This approach is further strengthened by regularly connecting these properties to risk management activities, ensuring that each identified risk is met with controls targeted to the specific property under threat.

Implementing controls in line with the CIA Triad also promotes accountability among different teams and stakeholders within your organization. Whether you are classifying data for confidentiality, verifying system changes for integrity, or preparing backup and recovery procedures for availability. The practical measures you adopt are easier to justify and maintain when everyone understands which aspect of information security they serve.

In addition, these properties do not exist in isolation. Many controls simultaneously reinforce more than one element of the triad, offering a layered defense that can adapt. Continual improvement efforts—such as updating risk assessments, testing incident response plans, and reviewing the effectiveness of your controls—become more efficient.

Through the structured lens of Confidentiality, Integrity, and Availability, you can communicate priorities clearly, allocate resources where they are most needed, and maintain an adaptable, resilient security posture that supports your long-term operational goals.