Confidentiality is the information security principle ensuring data is not disclosed to unauthorised individuals, entities, or processes. The Primary Implementation Requirement involves enforcing encryption and granular access controls under Annex A 5.15, delivering the Business Benefit of protected intellectual property and mitigated legal liability from data breaches.
What is Confidentiality?
Confidentiality is the information security principle that ensures information is not made available or disclosed to unauthorised individuals, entities, or processes. It is about protecting the secrecy of data. For information to be confidential, appropriate controls must be in place to prevent unauthorised access or disclosure.
Examples
- Encryption: Encrypting data, both when it’s stored and when it’s being transmitted, ensures that even if an unauthorised party gains access, they can’t read the information.
- Access Control: Limiting who can view certain documents or data sets through the use of permissions and passwords.
- Non-disclosure Agreements (NDAs): A legal contract that protects confidential information by requiring a party to keep it secret.
ISO 27001 Context
Confidentiality is one of the three core pillars of information security, alongside Integrity and Availability. These three principles are collectively known as the CIA Triad and form the fundamental basis of a strong Information Security Management System (ISMS).
ISO 27001 Related Controls
| Related ISO 27001 Control | Relationship Description |
|---|---|
| Glossary: CIA Triad | Core Pillar: Confidentiality is one of the three fundamental principles (alongside Integrity and Availability) that form the basis of the ISO 27001 framework. |
| ISO 27001 Annex A 8.24: Use of Cryptography | Technical Control: Encryption is the primary technical method used to ensure confidentiality by making data unreadable to unauthorized parties during storage and transmission. |
| ISO 27001 Annex A 5.15: Access Control | Operational Rule: Restricts information access to authorized users only, directly preventing the unauthorized disclosure that would break confidentiality. |
| ISO 27001 Annex A 5.12: Classification of Information | Prerequisite: Information must be classified (e.g., “Confidential”) to determine the level of protection and strictness of access required to maintain its secrecy. |
| ISO 27001 Annex A 5.14: Information Transfer | Secrecy in Transit: Ensures that when data is moved between parties, confidentiality is maintained through secure channels and Non-disclosure Agreements (NDAs). |
| Glossary: Breach | Failure State: A confidentiality breach occurs specifically when sensitive information is accessed or disclosed to unauthorized individuals. |
| Glossary: ISMS | System Objective: The preservation of confidentiality is a core requirement for a compliant Information Security Management System (ISMS). |
| ISO 27001 Glossary of Terms (Main Index) | Parent Directory: The central index where Confidentiality is listed as a foundational security concept. |
How to implement Confidentiality
Implementing confidentiality within the ISO 27001 framework is a fundamental objective of the Information Security Management System (ISMS). As a Lead Auditor, I look for technical evidence that sensitive data is protected throughout its entire lifecycle. Following this 10-step roadmap ensures your organisation maintains strict data privacy, resulting in a hardened security posture that satisfies both regulatory requirements and stakeholder trust.
1. Provision an Information Asset Register
- Provision a comprehensive inventory of all data assets: Identify and categorise 100 per cent of your information, resulting in a technical baseline for applying granular confidentiality controls.
2. Formalise Data Classification Standards
- Formalise a tiered classification scheme: Define labels such as Public, Internal, and Confidential, resulting in a clear metadata framework that dictates how specific data must be handled and stored.
3. Document the Rules of Engagement (ROE)
- Document the Rules of Engagement for data handling: Establish strict protocols for data access, transmission, and storage, resulting in authorised technical conduct that prevents accidental disclosure.
4. Provision Identity and Access Management (IAM) Roles
- Provision granular IAM roles based on the principle of least privilege: Map user permissions directly to business requirements, resulting in the technical prevention of unauthorised access to sensitive information.
5. Enforce Multi-Factor Authentication (MFA)
- Enforce MFA for 100 per cent of remote and privileged access: Mandate strong authentication at every system boundary, resulting in a robust technical barrier against credential-based confidentiality breaches.
6. Provision Technical Encryption Controls
- Provision AES-256 encryption for data at rest and TLS 1.3 for data in transit: Encrypt all sensitive data volumes and communication channels, resulting in data that remains unreadable even if physical or network security is bypassed.
7. Formalise Non-Disclosure Agreements (NDAs)
- Formalise legal confidentiality obligations with all third parties: Mandate the signing of NDAs for every external supplier and employee, resulting in an enforceable legal layer that supports your technical security controls.
8. Audit Access Logs and Permissions
- Audit system access logs and active user permissions quarterly: Reconcile current access rights against the Information Asset Register, resulting in the rapid identification of permission bloat or configuration drift.
9. Revoke Legacy Access for Leavers
- Revoke system access immediately upon staff termination or role change: Automate the offboarding process within the IAM platform, resulting in the elimination of “orphan accounts” that pose a significant confidentiality risk.
10. Audit the ISMS for Continuous Improvement
- Audit the effectiveness of confidentiality controls via internal assessments: Execute regular penetration tests and gap analyses, resulting in a documented corrective action plan that satisfies ISO 27001 Clause 10 requirements.
Confidentiality FAQ
What is confidentiality in the context of ISO 27001?
Confidentiality is the property that information is not made available or disclosed to unauthorised individuals, entities, or processes. As a core pillar of the CIA triad, ISO 27001 requires 100% of sensitive assets to be protected via technical and organisational controls to prevent data breaches and unauthorised exposure.
What are the primary technical controls for maintaining confidentiality?
Achieving data confidentiality requires a multi-layered technical approach to ensure that only authorised users can access specific information sets:
- Encryption at Rest and Transit: Using AES-256 or TLS 1.3 to render data unreadable to unauthorised parties.
- Access Control Lists (ACLs): Provisioning permissions based on the Principle of Least Privilege.
- Multi-Factor Authentication (MFA): Enforcing 100% strong authentication for remote and privileged access.
- Data Masking: Obfuscating PII in non-production environments to reduce risk.
What is the business impact of a confidentiality breach?
A breach of confidentiality often results in significant financial and reputational damage. Statistics indicate that the average cost of a data breach in 2024 exceeded £3.4 million globally. Furthermore, 60% of small businesses close within six months of a major confidentiality failure due to lost customer trust and statutory fines under UK GDPR.
How does a Lead Auditor verify confidentiality compliance?
Auditors verify confidentiality by sampling 100% of your access logs, encryption policies, and non-disclosure agreements (NDAs). They look for technical evidence that access is revoked immediately for leavers and that granular IAM roles are enforced. Data shows that organisations with automated access reviews are 50% more likely to pass a Stage 2 audit without minor non-conformities.
What is the difference between confidentiality and privacy?
Confidentiality is a technical security component focused on protecting data from unauthorised access, whereas privacy is a legal concept concerning the rights of individuals to control their personal information. While they overlap, confidentiality is the mechanism used to satisfy approximately 75% of the security requirements within privacy regulations like UK GDPR.
The Tools We Use.
100% Audit Success. Zero AI Guesswork.
About the author
