Implementing ISO 27001 Annex A 5.12 is the strategic process of categorizing organizational information based on legal requirements, value, criticality, and sensitivity. It requires organizations to define a clear classification schema, apply technical metadata labels, and enforce Data Loss Prevention (DLP) controls to ensure data is protected according to its risk level throughout its lifecycle.
ISO 27001 Annex A Classification of information Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.12. Compliance with this control requires a defined, enforceable schema for categorising data sensitivity, backed by technical metadata tagging and Data Loss Prevention (DLP) rules, not just a written policy document.
1. Define a Simplified Classification Scheme
Control Requirement: Information must be classified in terms of legal requirements, value, criticality, and sensitivity.
Required Implementation Step: Create a 3-tier classification schema: ‘Public’ (Website data), ‘Internal’ (Standard business comms), and ‘Confidential’ (PII, Credentials, Strategy). Avoid complex 5-tier military-style systems that confuse staff. Define exactly what data types fall into each tier in a master table.
Minimum Requirement: A published ‘Information Classification Policy’ defining exactly three levels of sensitivity.
2. Configure Technical Sensitivity Labels (M365/Google)
Control Requirement: Classification labels must be applied to information.
Required Implementation Step: Log in to Microsoft Purview (Compliance Portal) or Google Workspace Admin. Create ‘Sensitivity Labels’ that match your scheme. Publish these labels so they appear natively in Word, Excel, and Outlook. Users must be forced to select a label before saving a new document.
Minimum Requirement: Screenshot of the ‘Sensitivity’ button visible in the ribbon of a corporate Word document.
3. Implement Visual Marking on Documents
Control Requirement: Procedures for information labelling need to be developed and implemented.
Required Implementation Step: Configure your label policy to automatically insert a header/footer watermark. If a user selects ‘Confidential’, the document must instantly render “CONFIDENTIAL – DO NOT DISTRIBUTE” in the footer. This removes ambiguity for the recipient.
Minimum Requirement: A PDF export of a ‘Confidential’ document showing the automatic watermark.
4. Define Handling Rules for Each Level
Control Requirement: Procedures for handling information must be defined.
Required Implementation Step: Create a ‘Handling Matrix’ cheat sheet. For ‘Confidential’ data, explicitly state: “Must be encrypted at rest,” “Cannot be sent to personal email,” and “Must be stored on Sharepoint Secure Sites.” Distribute this matrix to all staff.
Minimum Requirement: A one-page ‘Data Handling Matrix’ pinned to the intranet or office wall.
5. Enforce Data Loss Prevention (DLP) Rules
Control Requirement: Prevention of unauthorized disclosure based on classification.
Required Implementation Step: Configure DLP policies in your email gateway or cloud admin console. Rule: If a document tagged ‘Confidential’ is attached to an email addressed to an external domain (e.g., @gmail.com), block the transmission and notify the sender. Do not rely on trust.
Minimum Requirement: A test log showing a blocked email attempt containing a ‘Confidential’ attachment.
6. Label Legacy Assets and Databases
Control Requirement: Classification must be applied to existing assets.
Required Implementation Step: Update your Information Asset Register (from Annex A 5.9). Add a mandatory column ‘Classification’. Review your SQL databases and file servers. Assign a blanket classification (e.g., ‘Confidential’) to the HR File Share to cover all legacy data contained within it.
Minimum Requirement: The Asset Register fully populated with a classification status for every row.
7. Secure Physical Information Assets
Control Requirement: Physical media must be classified and labelled.
Required Implementation Step: Purchase red ‘Confidential’ ink stamps or stickers. Walk through the HR and Finance departments. Physically stamp paper files, archive boxes, and external hard drives containing sensitive data. Unmarked assets are liable to be left on desks.
Minimum Requirement: Photo evidence of physical archive boxes bearing classification labels.
8. Establish Review Cycles for Classification
Control Requirement: Classification should be reviewed over time.
Required Implementation Step: Data degrades in value. Schedule an annual ‘De-classification Review’. A strategic plan from 2015 is likely no longer ‘Confidential’. Downgrading old data reduces the cost and complexity of protecting it.
Minimum Requirement: Minutes from an ISMS review meeting noting the re-classification of expired projects.
9. Align Vendor Contracts with Classification
Control Requirement: Information shared with third parties must be protected according to its value.
Required Implementation Step: Review your Data Processing Agreements (DPAs). If you send ‘Confidential’ data to a vendor, their contract must explicitly mandate encryption and handling standards that match your internal handling matrix.
Minimum Requirement: A signed contract with a supplier referencing your specific data classification tiers.
10. Audit User Labelling Behaviour
Control Requirement: Ensure consistency in application.
Required Implementation Step: Run a report in your document management system (e.g., SharePoint usage report). Identify files created in the last month that are labelled ‘Public’. Spot check 5 of them. If they contain internal meeting minutes, flag this as a non-conformity and retrain the user.
Minimum Requirement: An audit report showing the percentage of documents labelled vs. unlabelled.
ISO 27001 Annex A 5.12 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Classification Scheme | The tool provides a generic “High/Medium/Low” dropdown menu. | Failure: “Medium” means nothing to a user. You need specific business terms (Internal/Confidential). GRC dropdowns don’t tag the actual file, just the record of the file. |
| Labelling | The tool asks “Is this asset labelled?” (Yes/No). | Failure: Checking ‘Yes’ doesn’t put a watermark on the PDF. Real compliance requires configuring Microsoft Information Protection (MIP) to modify file headers. |
| Handling Rules | A text field to describe “Handling Procedures”. | Failure: Writing a procedure doesn’t stop a data leak. You need active DLP rules in Exchange/Gmail that read the labels and block emails. |
| Legacy Data | Bulk import of assets with default classification. | Failure: Marking 10,000 files as ‘Confidential’ in a GRC tool is useless if the file permissions on the server are set to ‘Everyone: Read’. |
| User Adoption | e-Learning module on “Data Sensitivity”. | Failure: Users ignore training. You must force the workflow: “You cannot save this document until you pick a label.” GRC training modules don’t enforce technical controls. |
| External Sharing | Vendor risk assessment questionnaire. | Failure: Asking a vendor “Do you encrypt?” is weak. You must encrypt the file before sending it, ensuring only the intended recipient can open it regardless of the vendor’s security. |
| Auditability | “Policy Last Reviewed” date. | Failure: The auditor wants to see that files are being labelled, not that the policy was spell-checked. You need usage logs from your file server or cloud provider. |
DO IT YOURSELF ISO 27001
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
About the author
