Integrity is the fundamental property of ensuring information accuracy and completeness throughout its lifecycle. The cryptographic verification and access controls represent the primary implementation requirement, delivering the critical operational trust and decision-making accuracy that businesses rely on to mitigate fraud and prevent accidental data corruption.
What is Integrity?
Integrity is the property of safeguarding the accuracy and completeness of information and assets. It means that information has not been altered, corrupted, or destroyed in an unauthorised manner. Maintaining integrity ensures that information is trustworthy and reliable.
Examples of Threats to Integrity
- Malicious Attacks: A hacker altering financial records to commit fraud.
- System Errors: A software bug corrupting data during a file transfer.
- Unintentional Actions: An employee accidentally deleting an important document.
ISO 27001 Context
Integrity is one of the three core principles of information security, often referred to as the CIA Triad (Confidentiality, Integrity, and Availability). Protecting integrity is a key focus of ISO 27001, as an organisation cannot make sound decisions if its information is not accurate.
How to implement Integrity
1. Classify Information Assets for Integrity Requirements
Provision a comprehensive Asset Register to identify which data sets require high levels of integrity protection. By categorising assets based on their impact if modified, you ensure resources are allocated to the most critical business data. Technical requirements include:
- Mapping data flows to identify where integrity could be compromised in transit.
- Assigning clear asset owners responsible for data accuracy.
- Defining the “Impact Level” for unauthorised data changes within your risk assessment.
2. Formalise Access Control Policies
Formalise a robust Access Control Policy to establish the rules for who can view or modify specific information. This prevents accidental or malicious tampering by ensuring only authorised personnel have “Write” or “Modify” permissions. Key requirements include:
- Documenting the Principle of Least Privilege (PoLP) for all user roles.
- Establishing clear request and approval workflows for permission changes.
- Setting specific IAM (Identity and Access Management) roles for sensitive database access.
3. Implement Multi-Factor Authentication (MFA)
Enforce Multi-Factor Authentication across all systems that house sensitive information to verify the identity of those attempting to modify data. This reduces the risk of integrity breaches resulting from stolen credentials. Technical requirements include:
- Mandating MFA for all administrative and privileged user accounts.
- Using FIDO2 or biometric-based authentication for high-risk assets.
- Configuring conditional access policies to block logins from untrusted locations.
4. Deploy Cryptographic Hashing for Verification
Deploy cryptographic hashing algorithms, such as SHA-256, to create digital fingerprints of your files and databases. This allows the organisation to verify that data has remained 100% accurate and has not been altered during storage or transmission. Technical requirements include:
- Generating hash values for critical system configuration files.
- Automating periodic integrity checks to compare current hashes against known baselines.
- Utilising file integrity monitoring (FIM) tools for real-time alerting.
5. Configure Version Control and Audit Trails
Configure version control systems for all critical documentation and source code to ensure that every change is traceable to a specific user and timestamp. This provides a clear “Audit Trail” that allows for the restoration of previous, accurate states if corruption occurs. Technical requirements include:
- Enabling “Read-Only” logs that cannot be deleted by standard users.
- Mandating commit messages that link changes to specific authorised tasks.
- Configuring non-repudiation controls to prove who performed a specific data modification.
6. Establish Change Management Protocols
Establish a formal Change Management process to ensure that modifications to systems or data structures are planned, tested, and approved. This prevents unauthorised or “ad hoc” changes that could compromise data integrity. Requirements include:
- Utilising Request for Change (RFC) documents for all production environment updates.
- Conducting “User Acceptance Testing” (UAT) in a segregated staging environment.
- Maintaining a rollback plan for every significant system modification.
7. Automate Data Validation Checks
Automate data entry and processing validation rules to detect and prevent the ingestion of corrupted or inaccurate information. This ensures that integrity is maintained at the point of entry. Technical requirements include:
- Implementing checksums for data packets moving between internal systems.
- Configuring database constraints to prevent null values or incorrect data types.
- Using “Input Validation” to protect against SQL injection attacks that could alter data.
8. Secure Physical Access to Infrastructure
Restrict physical access to servers, data centres, and backup media to prevent unauthorised physical tampering with hardware. If the physical storage is compromised, the integrity of the data stored within it cannot be guaranteed. Requirements include:
- Provisioning secure server racks with biometric or keycard access.
- Maintaining visitor logs and ensuring unescorted access is prohibited.
- Utilising CCTV to monitor physical entry points to sensitive areas.
9. Schedule Regular Off-site Backups
Schedule automated, encrypted backups to ensure that an accurate copy of your information is always available for restoration. Backups are the ultimate “safety net” for integrity, allowing you to recover from ransomware or database corruption. Requirements include:
- Implementing the 3-2-1 backup rule: three copies, two different media, one off-site.
- Testing backup restoration monthly to verify data completeness and accuracy.
- Protecting backup sets with “Immutable” storage settings to prevent tampering.
10. Conduct Regular Integrity Audits
Audit your integrity controls and system logs regularly to ensure that policies are being followed and that no unauthorised changes have slipped through. This provides the “Check” phase of the ISO 27001 PDCA cycle. Requirements include:
- Reviewing administrative activity logs for unapproved data modifications.
- Performing internal audits against Annex A 8.3 (Information Access Restriction).
- Reporting all integrity-related security incidents to senior management for review.
Integrity FAQ
What is data integrity in ISO 27001?
Data integrity is the property of maintaining the accuracy and completeness of information throughout its entire lifecycle. In an ISO 27001 Information Security Management System (ISMS), integrity ensures that 100% of data remains unaltered by unauthorised parties, preventing the estimated $4.45 million average cost associated with data manipulation breaches.
How do you maintain data integrity?
You maintain data integrity through a combination of technical safeguards and administrative controls designed to prevent unauthorised modifications. Effective strategies to ensure 100% accuracy include:
- Cryptographic Hashing: Using algorithms like SHA-256 to verify that data packets are 100% identical to the original source.
- Digital Signatures: Implementing public-key infrastructure to provide 0% non-repudiation for sensitive communications.
- Strict Access Controls: Restricting write-access to authorised users only via the Principle of Least Privilege.
- Regular Backups: Ensuring data can be restored to a 100% accurate state in the event of accidental corruption.
Why is integrity critical for ISO 27001 compliance?
Integrity is one of the three fundamental pillars of the CIA triad (Confidentiality, Integrity, and Availability) that forms the basis of ISO 27001. Failure to protect integrity leads to a 100% loss of confidence in system outputs, potentially resulting in legal non-compliance with international regulations such as the EU AI Act or GDPR.
What are examples of information integrity failures?
Information integrity failures occur when data is modified without authorisation, such as the manipulation of financial records, the accidental deletion of critical system configuration files, or malicious “man-in-the-middle” attacks altering data during transit. Statistical research indicates that approximately 20% of security incidents involve some form of system or data interference.
Related ISO 27001 Controls
| Related ISO 27001 Control | Relationship Description |
|---|---|
| Glossary: CIA Triad | Core Pillar: Integrity is one of the three foundational principles (alongside Confidentiality and Availability) that define information security within the ISO 27001 framework. |
| ISO 27001 Annex A 8.13: Information Backup | Restoration of Trust: Backups are essential for restoring the integrity of information if data is accidentally deleted, corrupted by system errors, or altered by malicious attacks. |
| ISO 27001 Annex A 5.15: Access Control | Prevention of Alteration: Limits who can modify or delete data, directly protecting information from unauthorized changes that would compromise its integrity. |
| ISO 27001 Annex A 8.24: Use of Cryptography | Technical Verification: Digital signatures and hashing (cryptographic tools) are used to detect unauthorized modifications and verify that information has remained complete and accurate. |
| ISO 27001 Annex A 8.32: Change Management | Process Integrity: Ensures that changes to systems and software are controlled and tested, preventing unintentional corruption of data during implementation. |
| Glossary: Confidentiality | Related Pillar: While integrity focuses on accuracy and completeness, confidentiality focuses on preventing unauthorized disclosure; both are required for a secure system. |
| Glossary: Availability | Related Pillar: If information is corrupted (loss of integrity), it may become unusable, thereby also impacting its availability to authorized users. |
| ISO 27001 Glossary of Terms (Main Index) | Parent Directory: The central index where Integrity is listed as a core concept essential for trustworthy and reliable information management. |
The Tools We Use.
100% Audit Success. Zero AI Guesswork.
About the author
