With the release of ISO/IEC 27001:2013 I was interested to find out whether information classification was still a control within Annex A (though it is important to note you can develop your own controls or use another control framework other than Annex A). Scrolling through this highly anticipated document shortly after its release, I found that the controls concerning information classification are still there.
The objective of control A8.2 is more or less the same as A7.2 in the 2005 edition of ISO/IEC 27001, it states:
‘To ensure that information receives an appropriate level of protection in accordance with its importance to the organization’.
Control A8.2.2 goes on to state:
‘An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.’
But how do you implement this control easily?
Well the first step is to develop your information classification policy. Rather than writing your own policy from scratch, use a document template instead that you can customise.
When it comes to implementing the nitty gritty of information classification, you really need an information classification software solution such as Boldon James Classifier. This software enables to enforce your information classification policy and ensure each and every electronic document and file is classified with meta labels and visual markings.
If you want to find out more about information classification software and ISO/IEC 27001:2013, attend our event in Farnborough, UK on 23 October titled: The transition to ISO27001:2013 – Preparing for the Change – book your place today!