Elementary Threat · BSI IT-Grundschutz

G 0.22 — Manipulation of Information

Updated on 17 April 2026 4 min Reviewed by: Cenedril Editorial

A.5.3A.5.5A.5.7A.5.10A.5.14A.5.15A.5.16A.5.17A.5.18A.5.19A.5.21A.5.24A.5.25A.5.26A.5.27A.5.28A.5.29A.5.37A.6.2A.6.6A.6.7A.6.8A.7.7A.7.9A.7.10A.7.13A.8.1A.8.2A.8.3A.8.4A.8.5A.8.6A.8.7A.8.9A.8.13A.8.14A.8.15A.8.16A.8.17A.8.18A.8.19A.8.20A.8.21A.8.22A.8.23A.8.24A.8.25A.8.26A.8.27A.8.28A.8.30A.8.31 BSI IT-GrundschutzISO 27001ISO 27002

An employee in accounting changes a few numbers in the monthly balance sheet — out of personal frustration following a promotion decision she felt was unfair. The changes are small enough to pass routine inspection. In the annual accounts, the deviations sum to a distorted business result that influences the share price and investor decisions.

Manipulation of information is the targeted falsification of data — whether digital or on paper. The BSI lists this threat as G 0.22.

What’s behind it?

Integrity means: data is complete, correct and unaltered. G 0.22 describes the threat that an attacker (or an insider) violates this integrity through targeted changes. The manipulation can be applied at any point in data processing — on capture, during transmission, in storage or on retrieval.

Forms of manipulation

Input manipulation — deliberately false data is entered into a system. Particularly critical in systems without plausibility checks or a four-eyes principle.
Database manipulation — direct modification of field content in the database, bypassing the application layer. Requires database access, which can be obtained via compromised credentials or SQL injection.
Document manipulation — alteration of contracts, invoices, certificates or reports — digital or on paper.
Manipulation in transit — man-in-the-middle attacks alter data during transmission. Without integrity protection (e.g. TLS), the recipient does not notice the change.
Archive manipulation — archived documents are altered. Since archive data is often only reviewed years later, the manipulation can remain undetected for an extremely long time.

Impact

Manipulated data can directly disrupt business processes: false stock levels lead to production outages, manipulated financial data to wrong decisions, forged configurations to system failures. Particularly serious: when the manipulation remains undetected, every downstream decision is made on the basis of false information. The damage propagation can be enormous.

Practical examples

SQL injection against a web application. An attacker discovers an SQL injection vulnerability in an online shop. Through manipulated input fields they alter product prices in the database — initially only minimally to avoid attention. In the next wave of orders, goods sell at a fraction of their price. The damage only becomes obvious when matched against the accounting figures.

Manipulated payslip. An employee in the HR department alters their own payslip data in the HR system — they raise the variable compensation component by a small amount. Since no automated plausibility check runs between the contract and the payslip, the manipulation goes undetected for over a year.

Forged supplier data in order processing. An attacker compromises a supplier’s email account and sends a notice about an alleged change of bank details. The change is taken into the creditor database. All subsequent payments to that supplier flow to the attacker’s account.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 52 mapped controls below in the section “ISO 27001 Controls Covering This Threat”.)

Prevention:

A.8.3 — Information access restriction: Minimal access rights limit the circle of people who can modify data.
A.8.5 — Secure authentication: Strong authentication prevents unauthorised access to data and systems.
A.8.9 — Configuration management: Versioned, controlled configurations reveal unwanted changes.
A.8.25 — Secure development life cycle: Input validation and parameterised queries prevent SQL injection.
A.5.15 — Access control: Policies for granting and revoking access rights.

Detection:

A.8.15 — Logging: Complete recording of all data changes with timestamp and user identifier.
A.8.16 — Monitoring activities: Detection of unusual data changes (volume, timing, pattern).

Response:

A.5.24 — Information security incident management planning and preparation: Prepared response processes for detected data manipulations.
A.8.13 — Information backup: Backups enable the restoration of the correct data state.
A.8.14 — Redundancy of information processing facilities: Redundant systems provide a reference point for detecting deviations.

BSI IT-Grundschutz

The BSI IT-Grundschutz catalogue links G 0.22 to numerous modules, including:

APP.3.6 (DNS servers) — protection against manipulations of DNS records (DNS spoofing, cache poisoning).
OPS.1.1.5 (Logging) — requirements for the recording of data changes.
CON.1 (Crypto concept) — cryptographic integrity protection through signatures and message authentication codes.
DER.2.3 (Remediation of far-reaching security incidents) — processing and data recovery after detected manipulation.

Sources

BSI IT-Grundschutz: Elementary Threats, G 0.22 — original description of the elementary threat
ISO/IEC 27002:2022 Section 8.3 — implementation guidance on information access restriction
BSI: OWASP Top 10 and Secure Web Development — recommendations on avoiding injection vulnerabilities

ISO 27001 Controls Covering This Threat

A.5.3 Segregation of duties A.5.5 Contact with authorities A.5.7 Threat intelligence A.5.10 Acceptable use of information and other associated assets A.5.14 Information transfer A.5.15 Access control A.5.16 Identity management A.5.17 Authentication information A.5.18 Access rights A.5.19 Information security in supplier relationships A.5.21 Managing information security in the ICT supply chain A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.26 Response to information security incidents A.5.27 Learning from information security incidents A.5.28 Collection of evidence A.5.29 Information security during disruption A.5.37 Documented operating procedures A.6.2 Terms and conditions of employment A.6.6 Confidentiality or non-disclosure agreements A.6.7 Remote working A.6.8 Information security event reporting A.7.7 Clear desk and clear screen A.7.9 Security of assets off-premises A.7.10 Storage media A.7.13 Equipment maintenance A.8.1 User endpoint devices A.8.2 Privileged access rights A.8.3 Information access restriction A.8.4 Access to source code A.8.5 Secure authentication A.8.6 Capacity management A.8.7 Protection against malware A.8.9 Configuration management A.8.13 Information backup A.8.14 Redundancy of information processing facilities A.8.15 Logging A.8.16 Monitoring activities A.8.17 Clock synchronisation A.8.18 Use of privileged utility programs A.8.19 Installation of software on operational systems A.8.20 Networks security A.8.21 Security of network services A.8.22 Segregation of networks A.8.23 Web filtering A.8.24 Use of cryptography A.8.25 Secure development life cycle A.8.26 Application security requirements A.8.27 Secure system architecture and engineering principles A.8.28 Secure coding A.8.30 Outsourced development A.8.31 Separation of development, test and production environments

Frequently asked questions

What's the difference between G 0.21 (manipulation of hardware/software) and G 0.22 (manipulation of information)?

G 0.21 concerns interventions in the systems themselves — hardware, software or firmware. G 0.22 concerns alteration of the data these systems process: database content, documents, emails, configuration files. In practice both threats often overlap because manipulated software can also falsify data.

How do I detect that data has been manipulated?

Technically: integrity checks (checksums, signatures), logging of all data changes and comparison with backups. Organisationally: the four-eyes principle for critical changes, regular plausibility checks and comparison with independent data sources.

Why is manipulation of information so hard to detect?

Data can be manipulated at any point in the processing chain — on input, during transmission, in the database, on the storage medium or on the printout. Because manipulated data often looks plausible, changes are noticed late or not at all.