What is information classification and how is it relevant to ISO 27001?

Information classification is a process in which organisations assess the data that they hold and the level of protection it should be given.

Organisations usually classify information in terms of confidentiality – i.e. who is granted access to see it. A typical system will include four levels of confidentiality:

  • Confidential (only senior management have access)
  • Restricted (most employees have access)
  • Internal (all employees have access)
  • Public (everyone has access)

As you might expect, larger and more complex organisations will need more levels.

Take hospitals, for example: doctors and nurses need access to patients’ medical histories, which are highly sensitive, but they shouldn’t have access to other types of information that would fit that criteria, such as the hospital’s financial records.

In cases such as this, a separate level must be created that accounts for specific job functions.

Where does ISO 27001 fit in?

Organisations that are serious about protecting their information should be following the guidelines set out in ISO 27001.

The Standard describes best practice for creating and maintaining an ISMS (information security management system), and information classification plays an important role.

Control objective A8.2 is titled ‘Information Classification’, and instructs that organisations “ensure that information receives an appropriate level of protection”.

The Standard doesn’t explain how you should do that, but the process is relatively simple. You just need to follow four simple steps.

1) Enter your assets into an inventory

The first step is to collate all your information into an inventory (or asset register).

You should also note who is responsible for it (who owns it) and what format it’s in (electronic documents, databases, paper documents, storage media, etc.).

2) Classification

Next, you need to classify the information.

Asset owners are responsible for this, but it’s a good idea for senior management to provide guidelines based on the results of the organisation’s ISO 27001 risk assessment.

Information that would be affected by bigger risks should generally be given a higher level of confidentiality.

Be careful, though, because this isn’t always the case. Our earlier example showed that there will be instances where sensitive information must be made available to a broader set of people in order for them to do their job.

Organisations that work with the public and private sector will usually benefit from two separate classification schemes.

This helps them differentiate between information that can and can’t be shared with third parties.

3) Labelling

Once you’ve classified your information, the asset owner must create a system for labelling it.

You’ll need different processes for information that’s stored digitally and physically, but it should be as consistent and clear as possible.

For example, you might decide that paper documents will be labelled on the cover page, the top-right corner of each subsequent page and the folder containing the document.

For digital files, you’ll list the classification in a column on your databases, as well as on the front page of the document and the header of each subsequent page.

4) Handling

Finally, you must establish rules for how to protect each information based on its classification and format.

For example, you might say that internal paper documents should be placed in an unlocked cabinet in a part of your premises that all employees can access, whereas restricted documents must be placed in a locked cabinet and confidential information must be stored in a secure location.

Additional rules should be established for data in transit – whether it’s being posted, emailed or employees carry it with them.

You can keep track of all these rules by using a table like this:

Information classification table example

Use a table to simplify the data handling documentation process.

Creating an information classification policy

As we’ve explained in this blog, information classification doesn’t require expert information security knowledge, but it does take a lot of coordination between departments.

It’s therefore essential that you create an information classification policy to make sure everybody is on the same page.

You can’t expect everybody to instantly memorise and follow your rules about who can access what information and what must be done to protect it.

The policy should explain why information classification is necessary, who is responsible for classification and labelling, and your organisation’s approach to classification.

This should include your levels of classification and the types of information that belong in each category.

Discover how IT Governance can help your information classification project >>


  1. Milan 6th March 2019
    • Luke Irwin 6th March 2019