Information classification can be simply defined as the process of assigning an appropriate level of classification to an information asset to ensure it receives an adequate level of protection.
But why is information classification relevant to ISO 27001?
Information classification is a key part of any ISO 27001 project. In the standard, control objective A7.2 is titled ‘Information Classification‘. The objective of this control is ‘to ensure that information receives an appropriate level of protection‘. The way that organisations go about implementing this control is by developing a set of information classification guidelines that detail how information should be classified using labelling or marking, and deciding how this information should be handled once it is classified.
For example, an organisation may choose to have three or four levels of classification, such as Restricted, Confidential and Public. They will then provide examples for each of these in their classification guidelines and detail what measures should be in place before any information crosses the organisation’s physical or logical boundary.
But how can information classification be made simple?
Some organisations choose simply to add classifications to Microsoft Word or other electronic documents manually, but this is prone to human error. Others have old-fashioned stamps to apply classifications to each document. And again, this is prone to human frailty.