CIA Triad + 5 Pillars of InfoSec | CISSP Domain 1 | SkillAssess
cisspSecurity and Risk Management· 9 min read· 14 May 2026
The 5 Pillars of Information Security: CIA Triad + Authenticity & Non-Repudiation
If you have studied for the CISSP even briefly, you have encountered the CIA triad. Confidentiality, Integrity, and Availability are the three pillars taught in every security course — but the exam tests them in ways that go well beyond memorisation. The CISSP also recognises two additional pillars: Authenticity and Non-Repudiation. Understanding all five, and knowing how to identify which one is threatened in a scenario, is essential for passing the exam.
Why the CIA Triad Is Only Part of the Picture
Most introductory security courses stop at CIA. The CISSP 2024 exam outline acknowledges that information security has expanded beyond three pillars. Modern security programmes must also guarantee that data and communications are genuine (authenticity) and that parties cannot deny their actions (non-repudiation). Ignoring these two pillars will cost you points on scenario-based questions.
Confidentiality
Confidentiality ensures that information is accessible only to those authorised to access it. It protects data from unauthorised disclosure — whether through hacking, insider threats, or simple misconfiguration.
Controls that support confidentiality include encryption (protecting data at rest and in transit), access controls (restricting who can read data), data classification (determining what needs protecting and at what level), and need-to-know policies (limiting access to the minimum required for job functions).
On the exam, confidentiality is violated when data is exposed to unauthorised parties. Classic scenarios include: an employee emailing sensitive files to a personal account, an unencrypted laptop being stolen, or a misconfigured S3 bucket making private records publicly accessible.
A common distractor: confidentiality is about disclosure, not modification. If data is changed without authorisation, that is an integrity violation, not confidentiality.
Integrity
Integrity ensures that information is accurate, complete, and has not been modified without authorisation. It protects data from both accidental and deliberate alteration.
Controls supporting integrity include hashing algorithms (SHA-256, SHA-3) to detect modification, digital signatures to verify that data has not been tampered with, version control systems to track changes over time, and audit logs to create an immutable record of who changed what and when.
Integrity violations on the exam involve scenarios where data has been altered. Examples include a database record changed by a disgruntled employee, a software update replaced with a malicious version, or a financial transaction modified in transit. The exam often tests whether candidates understand that integrity controls detect modification — they do not always prevent it.
An important exam nuance: integrity is not just about preventing malicious changes. Accidental corruption — such as a bit-flip during storage — is also an integrity violation.
Availability
Availability ensures that information and systems are accessible to authorised users when needed. It is arguably the most operationally visible of the three pillars because failures manifest as downtime.
Controls supporting availability include redundant systems and failover capabilities, uninterruptible power supplies (UPS) and generators, distributed denial-of-service (DDoS) protection, regular backups with tested recovery procedures, and patch management to prevent outages from exploited vulnerabilities.
Availability violations on the exam are typically denial-of-service attacks, ransomware encrypting critical data, hardware failures without redundancy, and natural disasters affecting data centres without proper business continuity plans.
A key exam distinction: ransomware is primarily an availability attack (it denies access to data) even though it uses encryption. Do not confuse the encryption mechanism with a confidentiality violation — the attacker's goal is to extort payment by denying access.
Authenticity
Authenticity is the assurance that data, communications, or system resources are genuine and from a verified source. It answers the question: can I trust that this message or file actually came from who I think it did?
Authenticity is threatened by spoofing attacks, man-in-the-middle interceptions, phishing (impersonating a trusted sender), and DNS poisoning (redirecting users to malicious sites that appear legitimate).
Controls supporting authenticity include digital certificates (binding an identity to a cryptographic key), email authentication protocols (SPF, DKIM, DMARC), and multi-factor authentication (confirming that a user is who they claim to be with more than one factor).
On the exam, authenticity questions often present scenarios involving impersonation. If a question describes an attacker sending communications that appear to come from a trusted source, the pillar violated is authenticity — not confidentiality.
Non-Repudiation
Non-repudiation ensures that the sender of a message or the performer of an action cannot later deny having done so. It is the security property that supports legal and forensic accountability.
Non-repudiation is critical in financial transactions, contract signing, and audit trails. Without it, a user could transfer funds and then claim they never initiated the transaction, or an employee could deny accessing a sensitive record despite audit logs showing otherwise.
Controls supporting non-repudiation include digital signatures (a mathematically verifiable proof tied to a private key that only the signer possesses), audit logs with tamper-evident properties, and timestamping services that prove when an action occurred.
The difference between authentication and non-repudiation is a frequent exam trap. Authentication verifies identity at the time of access. Non-repudiation provides after-the-fact proof that the action was taken by a specific party. A password authenticates a user at login but provides no non-repudiation if the password was shared. A digital signature provides both.
The CISSP Mindset: Think Like a Manager, Not a Technician
A critical shift required for the CISSP exam is moving from a technical mindset to a managerial one. The exam does not ask you to configure a firewall or write encryption code — it asks you to make decisions about which controls best address a business risk.
When a question asks which security pillar is MOST compromised in a given scenario, work through the logic:
First, identify what the attacker gained or what failed. Second, map that outcome to the five pillars. Third, eliminate distractors — look for answers that describe technical controls rather than pillar violations.
For example: "A financial institution discovers that transaction logs were altered by an insider after the fact to conceal fraud." The violated pillar is integrity (records were modified) and also non-repudiation (the logs that would have proven who made changes were tampered with). A poorly worded distractor might cite confidentiality, but the data was not disclosed — it was changed.
Common Distractor Traps in Domain 1 Questions
Exam writers deliberately craft distractors that sound reasonable but miss the point. The most common traps in CIA-related questions include:
Confusing encryption with confidentiality. Encryption is a control for confidentiality — it is not the same as confidentiality. If a question tests the pillar, do not answer with the control.
Choosing availability when integrity is the real issue. If data is corrupted, both availability and integrity can be affected. The primary violation is integrity unless the scenario specifically emphasises that the system or data is inaccessible.
Missing non-repudiation in legal scenarios. Any scenario involving contracts, financial transactions, or accountability in court typically implicates non-repudiation. If a question asks about someone denying an action, non-repudiation is being tested.
Assuming DoS is always an availability attack on the target. While the primary impact is availability, a targeted DoS can be a precursor to other attacks (distraction during a data theft). The exam may test whether you understand the full attack context.
Putting It Together: A Scenario Walkthrough
Scenario: A healthcare organisation discovers that a nurse accessed patient records outside her authorised scope and shared them with a journalist. The records were not modified.
Which pillar(s) are violated?
Confidentiality is violated because records were disclosed to an unauthorised party (the journalist). Authenticity is not violated because the nurse did access the records herself — there was no impersonation. Integrity is not violated because records were not modified. Availability is not violated because the system remained accessible. Non-repudiation may be relevant if the nurse later denies the access, but the primary violation is confidentiality.
Correct answer: Confidentiality.
Exam Tip
CISSP questions often ask which pillar is violated in a scenario — learn to identify violations, not just definitions. The exam will describe a situation and ask you to map it to the correct property. Memorising definitions is necessary but not sufficient. Practice identifying violations by reading scenario descriptions and asking yourself: Was data disclosed? Was it modified? Was access denied? Was a false identity involved? Was an action denied after the fact? Each question maps to exactly one primary pillar — train yourself to find it quickly.
Summary
The five pillars of information security — Confidentiality, Integrity, Availability, Authenticity, and Non-Repudiation — form the foundation of CISSP Domain 1. Each maps to specific threats, violations, and controls. The exam tests your ability to identify which pillar is compromised in a scenario, not simply recite definitions. Shift your thinking from memorisation to application: read every scenario as a story about what went wrong, identify the outcome, and match it to the appropriate pillar. This approach will serve you well throughout the entire 150-question exam.
// PRACTICE_THIS_DOMAIN
Test your knowledge on Security and Risk Management
AI-generated practice questions mapped to this domain. Get instant explanations and track your progress.