How to audit ISO 27001 Annex A 5.12

Information classification is the foundation of any good Information Security Management System (ISMS). If you get this basic step wrong, many of your other security controls will likely fail. This guide cuts through the noise to give you a clear framework for managing and auditing information classification. This will help you meet the needs of ISO 27001 Annex A 5.12 Classification of information.

Whether you are building an ISMS from the ground up or getting ready for an audit, this guide helps you protect what matters most to your organisation. For those looking for tools to streamline this process, platforms like hightable.io can be incredibly useful for managing these assets effectively.

What is Information Classification and Why Is It So Important?
Building Your Classification Scheme: A Guide to Pragmatic Design
The 6 Mandatory Actions for a Successful Implementation
How to Audit It: Passing Your ISO 27001 Certification
- The Auditor’s Checklist: What They Want to See
- Top 3 Mistakes That Lead to an Audit Fail
Conclusion: Protecting What Matters Most

What is Information Classification and Why Is It So Important?

Before we get into the technical details, you need to understand the main goal of information classification. Knowing the ‘why’ is vital. It helps you get support from management and ensures your team actually uses the system.

The Core Purpose of Annex A 5.12

The formal goal of Annex A 5.12 is to make sure an organisation knows how to protect its data based on value. In simple terms, it is a way to prioritise. It allows you to sort your data so you can apply security controls where they are needed most. This is based on the classic CIA triad. That stands for confidentiality, integrity, and availability. You have limited time, money, and people. You cannot protect all information with the same high level of security, and you should not try to.

The High Cost of Getting It Wrong

If you have a poor classification system, or none at all, you face risks and wasted effort. The results often include:

Wasted Resources: Using top-tier security for a public brochure is a waste of your budget and time. It slows down your work and takes focus away from protecting critical data.
Ineffective Security: If you try to protect everything equally, you end up protecting nothing effectively. When you treat every piece of data as a top priority, the sensitive assets do not get the specific care they need.
Compliance Failures: Regulators expect you to know which data is sensitive. If you fail to classify data correctly, especially data under rules like the GDPR, you could face fines.

The Intelligence Layer for Your Security Programme

Classification is not just a standalone task. It is a necessary first step that acts as the “intelligence layer” for your whole security programme. It links directly to keeping an up-to-date data asset register (Annex A 5.9) and is key for access control policies (Annex A 5.15). You cannot control access to confidential data if you do not know what is confidential.

Without this layer, controls like data loss prevention are just guesswork. Classification makes your security precise.

Building Your Classification Scheme: A Guide to Pragmatic Design

Your system will only work if it is designed well. If your scheme is too complex, people will ignore it. The main goal is to create a scheme that is simple, clear, and easy for everyone to use.

The Keep It Simple Principle

Many organisations fail because they over-engineer their scheme. If you create too many levels, like six or seven, it leads to decision fatigue. Busy staff will either ignore the scheme or mark everything as ‘Top Secret’ just to be safe. This defeats the purpose of prioritising your data.

A Recommended Three-Level Scheme

For most groups, a simple three-level scheme works best. This approach asks one simple question: “What is the impact if this data leaks?”

Level 1: Public. This is for data where a leak poses no risk. If this information appeared on the news, it would not hurt you. Examples include marketing flyers, press releases, and job postings.
Level 2: Internal. This data is for your organisation only. A leak would cause minor issues or a bit of embarrassment, but it would not be a disaster. Examples include internal memos, team charts, and general meeting notes.
Level 3: Confidential. This is the “crown jewels” category. If this gets out, it causes major damage. This could be financial loss, legal issues, or lost trade secrets. This is where you spend your budget on encryption and strict access. Examples include HR files, payroll data, and source code.

What About the ISO Standard’s Four-Level Example?

Do not let the standard’s example confuse you. ISO 27001:2022 gives an example of a four-level scheme. It ranges from “no harm” to “serious impact.” However, it is labeled as an example, not a rule. Adopting this can add complexity because you have to define vague terms. For most businesses, the three-level scheme is more practical.

A Note on Naming Conventions

ISO does not care what you name your levels. You can use “Confidential,” “Restricted,” or any other name. The auditor does not mind the label. As long as your scheme is clear and addresses your risks, you should use names that fit your culture.

The 6 Mandatory Actions for a Successful Implementation

A good design needs a plan to make it work. To satisfy an auditor, there are six main actions you must take.

Write a Cornerstone Policy. You must create a formal “Information Classification and Handling Policy.” This is your rule book. It defines your levels and how to handle data from creation to destruction.
Define the Scheme and Its Criteria. Inside the policy, you must document the scheme. Show that you have thought about the security needs of your information based on the CIA triad.
Meet Legal Requirements. Your scheme must meet external demands. Work with your legal team to check data privacy laws. For example, any data with PII must usually be at least ‘Internal.’
Assign Information Owners. You need to assign an “owner” to information assets. This is usually a department head. It is their job to classify the data, not the IT team’s job.
Maintain Consistency. The scheme must be used the same way across all teams. Also, the 2022 standard asks you to map your scheme to your suppliers’ schemes. If you send confidential data to a supplier, ensure they treat it with the same care.
Review and Update Annually. The value of data changes. You must review your scheme and your key assets at least once a year.

Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit

Get the Ultimate ISO 27001 Toolkit

How to Audit It: Passing Your ISO 27001 Certification

The audit is where theory meets reality. An auditor can judge your system in under an hour. They look for a clear link from your policy to the documents your staff use every day.

The Auditor’s Checklist: What They Want to See

An auditor wants proof that your system is real. They usually look for three things:

A Defined Scheme. They will read your policy first. They check that your levels make sense and that the controls match the risks.
An Up-to-Date Data Asset Register. The auditor checks the link between your inventory and your classification. They will pick assets and check for an owner and a classification level. An asset register without this detail is a red flag.
Evidence of Compliance. An auditor looks for physical proof. They check if documents are actually marked, like seeing ‘Confidential’ in a footer. They also check that sensitive data is classified correctly to meet laws like GDPR.

Top 3 Mistakes That Lead to an Audit Fail

Most failures come from bad governance or not following the policy.

Lack of Marking. This is a common fail. You have a policy, but staff do not label their files. An auditor can spot this quickly by looking at a screen or a shared drive. If a document is internal but has no mark, it is a nonconformity.
Over-Complication. This happens when you ignore the simple approach. If staff cannot explain the difference between your classification levels, the scheme is not working.
Poor Document Control. Your policy is a living document. An auditor looks for a version number and proof of review within the last 12 months. An old policy is a problem.

Conclusion: Protecting What Matters Most

In the end, a good information classification system is not about red tape. It is about being efficient. It helps you focus your limited resources on protecting what matters most. By doing this, you help your business run securely without slowing down your employees. It embeds common sense into your organisation’s culture.

About the author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.

Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.

As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.

His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

How to Audit Information Classification: A Practical Guide to ISO 27001 Annex A 5.12

Table of contents