Integrity is defined by ISO/IEC 27001:2022 as "the property of accuracy and completeness" of information (see ISO/IEC 27000:2018, 3.8 as referenced in ISO/IEC 27001:2022, Section 3 Terms and definitions). Ensuring integrity involves not only protecting information from unauthorized alteration but also validating and verifying its correctness on an ongoing basis.
According to ISO/IEC 27001:2022, organizations should implement controls to "safeguard the accuracy and completeness of information and processing methods" (Annex A). One of the essential practices in maintaining information integrity is "checking information regularly." Regular checks, reviews, or validations of information are crucial for detecting unauthorized or unintentional modifications and ensuring that information remains accurate and reliable over time.
Backup procedures (Option A) are important for availability and recovery purposes, while access policies (Option B) primarily address confidentiality and access control. Only Option C—conducting regular checks—directly addresses the requirement for ensuring integrity.
This is explicitly supported by ISO/IEC 27002:2022, Section 5.12 "Classification of information," and general guidance on control management, which states:
"The organization should establish processes for validating and reviewing information and for ensuring its ongoing accuracy and completeness. Controls should be implemented to detect and respond to unauthorized changes, as well as to regularly check the integrity of records, data, and critical information assets."
(ISO/IEC 27002:2022, 5.12, 0.2, and related controls)
Additionally, ISO/IEC 27001:2022 Clause 6.1.2 requires organizations to analyze risks associated with loss of integrity and implement relevant controls.
[References:, ISO/IEC 27001:2022, Clause 6.1.2 (Risk assessment, integrity requirements), ISO/IEC 27002:2022, 5.12 "Classification of information" and general introduction 0.2, ISO/IEC 27000:2018, 3.8 "integrity" definition (as referenced in ISO/IEC 27001:2022, Section 3), Confidentiality, as defined in ISO/IEC 27001:2022 (referencing ISO/IEC 27000:2018, 3.6), means ensuring that information is accessible only to those authorized to have access., , Multi-factor authentication (MFA) is a technical control that adds additional layers of verification before granting access to information systems, thus directly protecting the confidentiality of information by ensuring only authorized users can access sensitive data or systems., , According to ISO/IEC 27001:2022 Annex A, specifically under A.5.15 (Access control) and A.5.17 (Authentication information), organizations must implement controls that verify user identities and manage access to information and systems, which explicitly includes multi-factor authentication as a method for enhancing the protection of confidentiality:, , “Authentication information shall be managed, including selecting strong authentication techniques and requiring multiple factors of authentication where appropriate, to ensure only authorized users can access information and systems.”, — ISO/IEC 27002:2022, 5.17, , While incident investigation processes (A) are essential for security event management and learning, and version control (B) is used primarily for integrity and change management, multi-factor authentication (C) is the measure that directly supports confidentiality. Regular checks (D) support integrity., , References:, , ISO/IEC 27001:2022, Annex A, A.5.15 & A.5.17, , ISO/IEC 27000:2018, 3.6 (definition of confidentiality), , ISO/IEC 27002:2022, 5.17 (Authentication information)4, ]
Submit