The protection goals of information security are the elementary key points for the protection of information. Information represents a significant economic value for every company, and not just since today. It is the foundation of their existence and therefore an essential prerequisite for successful business. It is therefore obvious - or at least desirable - that information must be protected. However, there is still a wide gap between desire and reality.


What are the protection goals of information security?

Due to inadequate security in information processing, billions of dollars in damage are caused annually. But how can adequate protection of organizational assets be achieved? And what is the best way for a company to get started on the topic of information security?

A well-structured information security management system (ISMS) according to ISO/IEC 27001 provides an optimal basis for the effective implementation of a holistic security strategy. The standard provides a model for the introduction, implementation, monitoring and improvement of the level of protection. To achieve this, companies and organizations should first address the three fundamental protection goals of information security:

  • Confidentiality
  • Integrity
  • Aavailability

Confidentiality of information

The objective is to protect confidential data from unauthorized access, whether for reasons of data protection laws or on the basis of trade secrets covered e.g. by the Trade Secrets Act. The confidentiality of information and sensitive data is therefore ensured if only those persons have access to it who have authority (authorization) to do so. Access means, for example, reading, editing (changing) or even deleting.

The measures taken must therefore ensure that only authorized persons have access to the confidential information - non-authorized persons under no circumstances. This also applies to information on paper, which may sit unprotected on a desk and invite reading, or to the transmission of data that cannot be accessed in the course of its processing.


Our Audit Guide ISO 27001 - Annex A was created by leading experts as a practical implementation aid and is ideal for understanding selected standard requirements better. The guideline is based on ISO/IEC 27001:2017, with a revision of the ISO standard expected by the end of 2022. 

For authorized persons, it is also necessary to specify the type of access they should have, what they are allowed or required to do, and what they are not allowed to do. It must be ensured that they cannot do what they are not allowed to do. The methods and techniques used in this process are diverse and in some cases company-specific.

If it is "only" a question of unauthorized viewing or disclosure of information (also during transmission, classic: e-mail traffic!), cryptographic measures can be used to protect confidentiality, for example. If the goal is to prevent unauthorized modification of information, the protection goal "integrity" comes into play.

ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection – Information security management systems – Requirements

The revised ISO standard was published on 25.10.2022. ISO/IEC 27001:2013 is still valid for a transition period of three years until October 2025.

The standard is available from the ISO website


Integrity of information

The technical term integrity is linked to several requirements at once:

  • Unintentional changes to information must be impossible, or at least detectable and traceable. In practice, the following gradation applies:
    - High (strong) integrity prevents unwanted changes.
    - Low (weak) integrity may not prevent changes, but ensures that (unintentional) changes can be detected and, if necessary, traced (traceability).
  • The reliability of data and systems must be guaranteed.
  • The completeness of information must be guaranteed.

Measures aimed at increasing the integrity of information therefore also target the issue of access authorization in conjunction with protection against external and internal attacks.

"While the words " confidentiality" and "availability" are readily understandable, almost self-explanatory, in terms of the classic protection goals of information security, the technical term "integrity" requires some explanation. What is meant is correctness (of data and systems), completeness or traceability (of changes)."

Availability of information

Availability of information means that this information, including the required IT systems, must be accessible to any authorized person at any time and usable (functional) to the extent required. If a system fails or a building is not accessible, the required information is not available. In certain cases, this can lead to disruptions with far-reaching consequences, for example in the maintenance of processes.

It therefore makes sense to conduct a risk analysis with a view to the probability of a system failure, its possible duration and any damage caused by a lack of IT security. Effective countermeasures can be derived from the results and executed if the worst comes to the worst.

What are "extended" protection goals?

In addition to the security goals of confidentiality, integrity and availability, there are three additional security goals. These include the two aspects of "commitment" and "accountability", which complement each other. The former means ensuring that an actor cannot deny their action, the latter that this action can be reliably attributed to them. Both boil down to the unique identifiability of actors, and the issuance of unique passwords is a minimum requirement for this.

The third extended protection goal is "authenticity," i.e., genuineness. A simple question in this context is: Is the information genuine - does it actually come from the specified source? This protection goal is important for assessing the trustworthiness of the source.

Man and a woman with a laptop in a server room

Information of value is today's gold - and also an asset to be protected for your company. Read answers to the most important questions about information security here.

Protection goals of information security: Conclusion

The three most important protection goals of information security are "confidentiality", "integrity" and "availability".

Confidentiality: To be able to guarantee it, you must clearly define who is authorized to access this sensitive data and in what way. This is linked to appropriate access authorizations and the use of cryptographic techniques, for example.

Integrity means protection against unauthorized changes and deletion of information, plus the reliability and completeness of information. It is therefore important for your company to take precautions to quickly detect changes to data or to prevent unauthorized manipulation from the ground up.

Availability means that information, systems and buildings must be available to authorized persons at all times. Since system failures, for example, are associated with major risks, a risk analysis should be carried out for this complex of topics. Record here the probability of failure, the downtime and the damage potential of the most necessary systems.

Commitment, accountability and authenticity are "extended" protection goals.

Commitment is understood to ensure that an actor cannot deny their actions. Accountability complements this extended protection goal by clearly identifying such an actor. Authenticity asks the question: Is a piece of information genuine or trustworthy?

DQS - What you can expect from us

Information security is a complex topic that goes far beyond IT security. It includes technical, organizational and infrastructural aspects. The international standard ISO/IEC 27001 is suitable for effective protective measures in the form of an information security management system (ISMS).

DQS is your specialist for audits and certifications of management systems and processes. With 35 years of experience and the know-how of 2,500 auditors worldwide, we are your competent certification partner and provide answers to all questions regarding ISO 27001 and information security management systems.

dqs-question-answer-question mark on wooden cubes on table

We are happy to answer your questions

How much effort do you have to expect to have your information security management system certified according to ISO 27001? Find out. Without obligation and free of charge.

Trust and expertise

Our texts and brochures are written exclusively by our standards experts or auditors with many years of experience. If you have any questions about the text content or our services to our author, please feel free to send us an e-mail.

André Saeckel

Product manager at DQS for information security management. As a standards expert for the area of information security and IT security catalog (critical infrastructures), André Säckel is responsible for the following standards and industry-specific standards, among others: ISO 27001, ISIS12, ISO 20000-1, KRITIS and TISAX (information security in the automotive industry). He is also a member of the ISO/IEC JTC 1/SC 27/WG 1 working group as a national delegate of the German Institute for Standardization DIN.