Information classification is a vital part of any ISO 27001 project. Without classifying your information, you cannot decide how it should be handled and what controls you should put in place to protect it as part of your ISO 27001 project.
Only by classifying the information your organisation owns can you adequately protect its value. If you don’t classify it, your information and its inherent value is at risk of being lost.
But where do you start with information classification?
Firstly you will need to develop an information classification policy. In this you will set out the different levels of classification, define what information falls within each classification and then decide what controls will be put in place.
Rather than reinventing wheels, develop an information classification policy from scratch and use an information classification policy template that has already been designed by ISO 27001 experts.
How can you practically start applying information classifications to information?
Some people simply add classifications to the footer of their documents. So for instance, if you are creating a Word document that contains information that falls within the classification level of ‘confidential’ in your information classification policy, you would add the word ‘confidential’ in the footer of the Word document. This is fraught with problems, the biggest being the possibility that you forget to classify an important document.
There are other solutions such as stamps that have previously been used, though these have been found to be impractical and unusable for classifying certain types of information.
Information classification software , such as Boldon James Classifier, is the most practical solution for information classification. It allows you to easily apply visible labels and metadata to all manner of electronic files. Not only does Classifier enable you to easily classify information, it also enables you to enforce your organisation’s information classification policy. For instance, if you have specified that information with a ‘restricted’ classification shouldn’t be sent outside of the organisation, the Classifier will prevent members of staff from sending emails, or emails with attachments that contain ‘restricted’ information, outside of your organisation. Classifier also integrates with other on-demand technologies such as encryption software.
Information classification is vital to any ISO 27001 project, and information classification software makes it easy!