This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here

Hide
Jump to navigation

Information Classification for ISO27001

In order to protect your information appropriately, you first need to appreciate its value. As part of an ISO 27001-compliant information security management system (ISMS), it is necessary to classify all of the organisation’s information assets.

This page details the information classification process.

On this page

  • ISO 27001 controls
  • The information asset register
  • Structuring information classification
  • Implementing information classification
  • Conclusion
  • ISO 27001 implementation solutions

ISO 27001 controls

The controls in Annex A of ISO 27001 describe best practices that can be used to mitigate information security risks. Although there is no requirement to use the Annex A controls, any other controls that are used should be compared with Annex A.

Annex A control objective A.8.2 states that information should receive “an appropriate level of protection in accordance with its importance to the organization.” This is achieved by “classification”, “labelling”, and “handling”.

The information asset register

An information classification scheme establishes a standardised set of descriptions that can be applied to all information assets.

The terms your organisation uses are entirely a matter of preference and are open to customisation, but may be as simple as a numbering system, or descriptive labels like ‘Confidential’, ‘Restricted’ and so on. Whatever scheme you use, it should be appropriate to your needs.

However you choose to describe your information assets, your organisation should have a complete and comprehensive information asset register that records the existence of assets and allows you to assess their value at a glance.

Structuring information classification

Ideally, an information classification scheme should limit the number of possible classifications and, in turn, limit the number of processes you need to maintain. For many organisations, there need not be more than three or four.

A simple example of classification levels might look something like this:

  • Unclassified The information is not particularly valuable, nor is the organisation required to protect it. It can be accessed by anyone for any purpose, including release to the public or clients. It may include press releases, job vacancies, and so on.

  • Internal only The information has value internally, and may have some value to competitors. It may be distributed freely to anyone within the organisation. It may include internal memos, employment data, contract information, and so on.

  • Confidential The information has significant value and there may be legal requirements for its protection. Access is limited to designated roles or tiers within the organisation. It may include intellectual property, customer payment details, long-term strategic planning, and so on.

Each of these classification levels can then inform other controls to ensure that the information is appropriately protected from unauthorised access, modification, distribution and destruction.

Implementing data classification

There are several critical factors in implementing an effective information classification scheme: labelling, access controls and staff awareness.

  • Labels are used to identify the value of the data and to display its classification. The way labelling is handled is, once again, up to the organisation, but should be relevant to the way the information is used. For instance, hardcopies of files, removable media, and so on should have a physical label; digital content should include the label in the filename, document itself and metadata.

  • Access controls can draw from the labelling, metadata or file structure to permit or deny access to information based on the user’s access rights. For hardcopies, this could involve filing information in specific cabinets, which can be locked or stored off-site to control access. Digital content can employ network controls to ensure that users only have access to the information they are entitled to.

  • Staff awareness is essential for any classification scheme to be effective, as is making sure that it is simple enough to navigate – there should not be too many classifications, the rules for handling information should be clear, and staff should be able to reliably classify any new or unlabelled information. All staff should be appropriately trained in the classification and handling of information.

Conclusion

While not in itself a complete information security system, information classification is one of the more potent tools that organisations should consider from the outset, and build into the foundation of their layered security approach.

By identifying the value of the data they create and share, organisations can make informed decisions on how to protect more valuable or sensitive data. Unlike many other information security solutions, information classification spreads itself across people, processes and technologies, providing it with a degree of natural redundancy and reliability. Even if your organisation is not pursuing certification against ISO 27001, instituting an information classification scheme is often seen as best practice and a project that can be completed without a prohibitive investment of time or resources.

ISO 27001 implementation resources

All organisations will benefit from IT Governance’s fixed-price ISO 27001 Packaged Solutions, which provide a series of implementation resources at transparent prices to suit all budgets and levels of expertise. Whatever your constraints or your preferred project approach, we have a solution to help you protect your organisation from cyber threats.

Click for more information >>

ISO27001 Solutions

BUY ISO27001 BOOKS

Big Data - Understanding How Data Powers Big Business

Buy now

+44 (0) 845 070 1750
live chat support software