CIA triad — SY0-701
Master the CIA triad (Confidentiality, Integrity, Availability) for CompTIA Security+ SY0-701 — NIST-grounded definitions, exam traps, and concept links.
WHAT IT IS
The CIA triad names the three foundational properties that information security aims to protect. NIST defines information security as "the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability" (FIPS 200).
Each property has its own NIST definition:
- Confidentiality — "preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information" (FIPS 200, 44 U.S.C. § 3542).
- Integrity — "guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity" (FIPS 200, 44 U.S.C. § 3542).
- Availability — "ensuring timely and reliable access to and use of information" (FIPS 200, 44 U.S.C. § 3542).
Mental model
Map every security event to the property it violates. An attacker who reads data they should not see violates confidentiality. An attacker who alters data violates integrity. An attacker who blocks access violates availability. One event can violate multiple properties simultaneously, but the triad gives you a precise language to say which harm occurred and why it matters.
When to use it
Use the triad to classify the primary harm a scenario describes, then select controls aimed at that property.
| Property | Primary question | Example harm | Example control category |
|---|---|---|---|
| Confidentiality | Who can see this? | Unauthorized disclosure of personal data | Encryption, access controls |
| Integrity | Has this been altered without authorization? | Tampered log file or corrupted transaction | Hashing, digital signatures |
| Availability | Can authorized users get to this when they need it? | Service disruption cutting off system access | Redundancy, fault tolerance |
A single scenario may touch more than one property. Identify the primary harm first, then note secondary effects.
COMMON MISCONCEPTION
Candidates often conflate integrity with accuracy or "correctness." NIST grounds integrity in unauthorized modification or destruction — not in whether data is factually true. A file that was deliberately and improperly altered has an integrity violation even if the attacker happened to insert accurate information. Conversely, a legitimately authorized user making an error does not, by itself, constitute an integrity violation in the security sense.
A related trap is treating non-repudiation as a separate, fourth pillar equal to the triad. NIST's integrity definition explicitly includes "ensuring information non-repudiation and authenticity," making non-repudiation a component of integrity rather than a peer concept. Scenarios that describe the need to prove who sent or approved something are still describing an integrity concern at their core.
How it shows up on the exam
Questions in this area test whether candidates can correctly map a described situation to the right CIA property — and resist the pull of plausible-sounding but incorrect properties. Candidates often struggle when a scenario involves a control (such as encryption) that serves confidentiality but is described in a context that primarily addresses integrity or availability.
Signal phrases to listen for:
- Confidentiality: "unauthorized disclosure," "sensitive data exposed," "intercept," "eavesdrop," "privacy"
- Integrity: "tampered," "modified without authorization," "altered," "corrupted," "authenticity," "non-repudiation"
- Availability: "timely and reliable access," "disruption," "denial of service," "downtime," "redundancy"
The cognitive target is classification, not recall. Knowing the definitions is necessary but not sufficient — practice applying them to novel situations where more than one property appears threatened.
Related concepts
- Non-repudiation — a component of integrity under NIST's definition; ensures actions or messages cannot be falsely denied after the fact.
- AAA Framework — authentication, authorization, and accounting mechanisms that enforce confidentiality and integrity at the access layer.
- Zero Trust — an architecture that applies CIA protections without assuming any implicit trust based on network location.
Sources
Every claim on this page traces to the public exam blueprint and official documentation: