In this ultimate how to implement guide to ISO 27001 Annex A 5.12 Classification of Information, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Classification of Information Implementation Checklist
- 1. Define a Simplified Classification Scheme
- 2. Configure Technical Sensitivity Labels (M365/Google)
- 3. Implement Visual Marking on Documents
- 4. Define Handling Rules for Each Level
- 5. Enforce Data Loss Prevention (DLP) Rules
- 6. Label Legacy Assets and Databases
- 7. Secure Physical Information Assets
- 8. Establish Review Cycles for Classification
- 9. Align Vendor Contracts with Classification
- 10. Audit User Labelling Behaviour
- ISO 27001 Annex A 5.12 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 5.12 is the strategic process of categorising organisational information based on legal requirements, value, criticality, and sensitivity. It requires organisations to define a clear classification schema, apply technical metadata labels, and enforce Data Loss Prevention (DLP) controls to ensure data is protected according to its risk level throughout its lifecycle.
ISO 27001 Classification of Information Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.12. Compliance with this control requires a defined, enforceable schema for categorising data sensitivity, backed by technical metadata tagging and Data Loss Prevention (DLP) rules, not just a written policy document.
1. Define a Simplified Classification Scheme
Control Requirement: Information must be classified in terms of legal requirements, value, criticality, and sensitivity.
Required Implementation Step: Create a 3-tier classification schema: ‘Public’ (Website data), ‘Internal’ (Standard business comms), and ‘Confidential’ (PII, Credentials, Strategy). Avoid complex 5-tier military-style systems that confuse staff. Define exactly what data types fall into each tier in a master table.
Minimum Requirement: A published ‘Information Classification Policy’ defining exactly three levels of sensitivity.
2. Configure Technical Sensitivity Labels (M365/Google)
Control Requirement: Classification labels must be applied to information.
Required Implementation Step: Log in to Microsoft Purview (Compliance Portal) or Google Workspace Admin. Create ‘Sensitivity Labels’ that match your scheme. Publish these labels so they appear natively in Word, Excel, and Outlook. Users must be forced to select a label before saving a new document.
Minimum Requirement: Screenshot of the ‘Sensitivity’ button visible in the ribbon of a corporate Word document.
3. Implement Visual Marking on Documents
Control Requirement: Procedures for information labelling need to be developed and implemented.
Required Implementation Step: Configure your label policy to automatically insert a header/footer watermark. If a user selects ‘Confidential’, the document must instantly render “CONFIDENTIAL – DO NOT DISTRIBUTE” in the footer. This removes ambiguity for the recipient.
Minimum Requirement: A PDF export of a ‘Confidential’ document showing the automatic watermark.
