Information Classification for ISO 27001
In order to protect your information appropriately, you first need to appreciate its value. As part of an ISO 27001-compliant information security management system (ISMS), it is necessary to classify all of the organisation’s information assets.
This page details the information classification process.
ISO 27001 controls
The controls in Annex A of ISO 27001 describe best practices that can be used to mitigate information security risks. Although there is no requirement to use the Annex A controls, any other controls that are used should be compared with Annex A.
Annex A control objective A.8.2 states that information should receive “an appropriate level of protection in accordance with its importance to the organization.” This is achieved by “classification”, “labelling”, and “handling”.
The information asset register
An information classification scheme establishes a standardised set of descriptions that can be applied to all information assets.
The terms your organisation uses are entirely a matter of preference and are open to customisation, but may be as simple as a numbering system, or descriptive labels like ‘Confidential’, ‘Restricted’ and so on. Whatever scheme you use, it should be appropriate to your needs.
However you choose to describe your information assets, your organisation should have a complete and comprehensive information asset register that records the existence of assets and allows you to assess their value at a glance.
Structuring information classification
Ideally, an information classification scheme should limit the number of possible classifications and, in turn, limit the number of processes you need to maintain. For many organisations, there need not be more than three or four.
A simple example of classification levels might look something like this:
- Unclassified The information is not particularly valuable, nor is the organisation required to protect it. It can be accessed by anyone for any purpose, including release to the public or clients. It may include press releases, job vacancies, and so on.
- Internal only The information has value internally, and may have some value to competitors. It may be distributed freely to anyone within the organisation. It may include internal memos, employment data, contract information, and so on.
- Confidential The information has significant value and there may be legal requirements for its protection. Access is limited to designated roles or tiers within the organisation. It may include intellectual property, customer payment details, long-term strategic planning, and so on.
Each of these classification levels can then inform other controls to ensure that the information is appropriately protected from unauthorised access, modification, distribution and destruction.
Implementing data classification
There are several critical factors in implementing an effective information classification scheme: labelling, access controls and staff awareness.
- Labels are used to identify the value of the data and to display its classification. The way labelling is handled is, once again, up to the organisation, but should be relevant to the way the information is used. For instance, hardcopies of files, removable media, and so on should have a physical label; digital content should include the label in the filename, document itself and metadata.
- Access controls can draw from the labelling, metadata or file structure to permit or deny access to information based on the user’s access rights. For hardcopies, this could involve filing information in specific cabinets, which can be locked or stored off-site to control access. Digital content can employ network controls to ensure that users only have access to the information they are entitled to.
- Staff awareness is essential for any classification scheme to be effective, as is making sure that it is simple enough to navigate – there should not be too many classifications, the rules for handling information should be clear, and staff should be able to reliably classify any new or unlabelled information. All staff should be appropriately trained in the classification and handling of information. Find out more >>
ISO 27001 implementation resources
All organisations will benefit from IT Governance’s fixed-price ISO 27001 Packaged Solutions, which provide a series of implementation resources at transparent prices to suit all budgets and levels of expertise. Whatever your constraints or your preferred project approach, we have a solution to help you protect your organisation from cyber threats.
Click for more information >>
Speak to an expert
One of our qualified ISO 27001 lead implementers are ready to offer you practical advice about the best approach to take for implementing an ISO 27001 project and discuss different options to suit your budget and business needs.