ISO 27001 Annex A 5.12 is a security control that requires organizations to categorize information based on its sensitivity, value, and legal importance. The Primary Implementation Requirement mandates a comprehensive information classification policy and asset register, yielding the Business Benefit of automated, risk-aligned technical protection across all assets.
Auditing ISO 27001 Annex A 5.12 requires a rigorous validation of how an organisation identifies, categorises, and protects its information assets. A successful audit ensures that classification is not just a policy document but a functioning technical workflow that triggers specific security controls based on data sensitivity and legal value.
Step 1: Formalise the Information Classification Policy
Establish a documented framework that defines the levels of sensitivity for all organisational data. This policy acts as the primary authority for how data is handled throughout its lifecycle.
- Verify that the policy defines at least three to four distinct levels, such as Public, Internal, Confidential, and Secret.
- Confirm that the classification criteria include legal requirements, value to the business, and sensitivity to unauthorised disclosure.
- Audit the approval records to ensure senior management has signed off on the current version of the framework.
Step 2: Provision a Comprehensive Asset Register
Maintain an Information Asset Register (IAR) that serves as the single source of truth for all data sets within the scope of the ISMS. This ensures no data silo remains unclassified or unprotected.
- Inspect the IAR to confirm that every asset is mapped to a specific classification level.
- Validate that the register includes technical metadata: such as file formats, storage locations (Cloud vs On-premise), and retention periods.
- Review the Rules of Engagement (ROE) for asset discovery to ensure shadow IT or unmanaged databases are regularly identified and added.
Step 3: Assign and Audit Information Ownership
Designate specific individuals as Information Owners to ensure accountability for the classification and protection of data assets. Ownership prevents the “tragedy of the commons” where data security is ignored by departments.
- Verify that every entry in the Asset Register has a named owner with the authority to grant or revoke access.
- Check that IAM (Identity and Access Management) roles are reviewed by these owners at least bi-annually.
- Audit the onboarding and offboarding process to ensure ownership is transferred when a staff member leaves the organisation.
Step 4: Execute Automated Labelling and Metadata Tagging
Implement technical markers on digital and physical assets to communicate their classification level to users and automated security systems. This step is critical for the success of Data Loss Prevention (DLP) strategies.
- Sample digital files to verify that metadata tags (e.g., XMP or custom properties) are present and accurate.
- Test automated triggers: for example, ensuring an email tagged as “Secret” cannot be forwarded to an external recipient.
- Audit physical assets: such as printed reports or backup tapes, to ensure they bear visible classification labels or stamps.
- Confirm that Multi-Factor Authentication (MFA) is strictly enforced for accessing repositories containing “Confidential” or “Secret” data.
Step 5: Revoke Access and Securely Dispose of Classified Data
Enforce strict lifecycle management to ensure that information is not retained longer than necessary and is destroyed securely according to its classification. This reduces the organisation’s “blast radius” in the event of a breach.
- Review disposal logs to verify that sensitive data is destroyed using approved methods, such as cryptographic erasure or physical shredding.
- Validate that access rights are revoked immediately upon a change in classification or asset retirement.
- Verify that the organisation maintains certificates of destruction for all high-sensitivity physical media.
Audit Execution Guide: ISO 27001 Annex A 5.12
| Audit Step | How to Audit | Common Examples |
|---|---|---|
| Policy Alignment | Compare the classification scheme against statutory requirements like GDPR or DPA 2018. | Classification Policy, Data Protection Impact Assessments (DPIA). |
| Asset Verification | Perform a spot check by picking a random server or cloud bucket and checking its entry in the IAR. | Asset Register, AWS S3 Tags, SharePoint Metadata. |
| Labelling Accuracy | Manually inspect 10-20 documents across different departments for correct headers and tags. | PDF Watermarks, Email Headers, Sensitivity Labels. |
| Handling Compliance | Observe employees handling “Confidential” files or check if secure waste bins are used. | Locked filing cabinets, Secure shredding consoles, Encrypted USBs. |
Why GRC Platforms Often Fail the Annex A 5.12 Audit
| SaaS/GRC Platform Failure | Why it Fails the Audit | The “Real World” Deficiency |
|---|---|---|
| Static Asset Snapshots | Platforms rely on manual CSV uploads which are out of date the moment they are imported. | The auditor finds live data repositories that do not exist in the GRC dashboard. |
| Disconnected Metadata | The GRC tool lists a classification, but that “tag” does not exist on the actual file or system. | There is no technical enforcement: a file is “Secret” in the tool but “Public” in the actual cloud folder. |
| Generic Template Bias | Software forces businesses into “Standard” categories that ignore specific legal or contractual nuances. | The business fails to meet specific client security requirements because they used a “one-size-fits-all” template. |
| False Sense of Automation | Platforms claim “Automated Compliance” while ignoring the human element of ownership and review. | Information Owners have never logged into the system, meaning no actual oversight or review has occurred. |
About the author
