High Table ISO 27001 Toolkit Logo

ISO 27001 Clauses

ISO 27001 Clause 4.1 – Understanding The Organisation And Its Context

ISO 27001 Clause 4.2 – Understanding The Needs And Expectations of Interested Parties

ISO 27001 Clause 4.3 – Determining The Scope Of The Information Security Management System

ISO 27001 Clause 4.4 – Information Security Management System

ISO 27001 Clause 5.1 – Leadership and Commitment

ISO 27001 Clause 5.3 – Organisational Roles, Responsibilities and Authorities

ISO 27001 Clause 6.1.1 – Planning General

ISO 27001 Clause 6.1.2 – Information Security Risk Assessment

ISO 27001 Clause 6.1.3 – Information Security Risk Treatment

ISO 27001 Clause 6.2 – Information Security Objectives and Planning to Achieve Them

ISO 27001 Clause 6.3 – Planning Of Changes

ISO 27001 Clause 7.1 – Resources

ISO 27001 Clause 7.2 – Competence

ISO 27001 Clause 7.3 – Awareness

ISO 27001 Clause 7.4 – Communication

ISO 27001 Clause 7.5.1 – Documented Information

ISO 27001 Clause 7.5.2 – Creating and Updating Documented Information

ISO 27001 Clause 7.5.3 – Control of Documented Information

ISO 27001 Clause 8.1 – Operational Planning and Control

ISO 27001 Clause 8.2 – Information Security Risk Assessment

ISO 27001 Clause 8.3 – Information Security Risk Treatment

ISO 27001 Clause 9.1 – Monitoring, Measurement, Analysis, Evaluation

ISO 27001 Clause 9.2 – Internal Audit

ISO 27001 Clause 9.3 – Management Review

ISO 27001 Clause 10.1 – Continual Improvement

ISO 27001 Clause 10.2 – Nonconformity and Corrective Action

ISO 27001 Organisation Controls

ISO 27001 Annex A 5.1: Policies for information security

ISO 27001 Annex A 5.2: Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3: Segregation of duties

ISO 27001 Annex A 5.4: Management responsibilities

ISO 27001 Annex A 5.5: Contact with authorities

ISO 27001 Annex A 5.6: Contact with special interest groups

ISO 27001 Annex A 5.7: Threat intelligence

ISO 27001 Annex A 5.8: Information security in project management

ISO 27001 Annex A 5.9: Inventory of information and other associated assets

ISO 27001 Annex A 5.10: Acceptable use of information and other associated assets

ISO 27001 Annex A 5.11: Return of assets

ISO 27001 Annex A 5.12: Classification of information

ISO 27001 Annex A 5.13: Labelling of information

ISO 27001 Annex A 5.14: Information transfer

ISO 27001 Annex A 5.15: Access control

ISO 27001 Annex A 5.16: Identity management

ISO 27001 Annex A 5.17: Authentication information

ISO 27001 Annex A 5.18: Access rights

ISO 27001 Annex A 5.19: Information security in supplier relationships

ISO 27001 Annex A 5.20: Addressing information security within supplier agreements

ISO 27001 Annex A 5.21: Managing information security in the ICT supply chain

ISO 27001 Annex A 5.22: Monitoring, review and change management of supplier services

ISO 27001 Annex A 5.23: Information security for use of cloud services

ISO 27001 Annex A 5.24: Information security incident management planning and preparation

ISO 27001 Annex A 5.25: Assessment and decision on information security events

ISO 27001 Annex A 5.26: Response to information security incidents

ISO 27001 Annex A 5.27: Learning from information security incidents

ISO 27001 Annex A 5.28: Collection of evidence

ISO 27001 Annex A 5.29: Information security during disruption

ISO 27001 Annex A 5.30: ICT readiness for business continuity

ISO 27001 Annex A 5.31: Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32: Intellectual property rights

ISO 27001 Annex A 5.33: Protection of records

ISO 27001 Annex A 5.34: Privacy and protection of PII

ISO 27001 Annex A 5.35: Independent review of information security

ISO 27001 Annex A 5.36: Compliance with policies and standards for information security

ISO 27001 Annex A 5.37: Documented operating procedures

ISO 27001 People Controls

ISO 27001 Annex A 6.1: Screening

ISO 27001 Annex A 6.2: Terms and conditions of employment

ISO 27001 Annex A 6.3: Information security awareness, education and training

ISO 27001 Annex A 6.4: Disciplinary process

ISO 27001 Annex A 6.5: Responsibilities after termination or change of employment

ISO 27001 Annex A 6.6: Confidentiality or non-disclosure agreements

ISO 27001 Annex A 6.7: Remote working

ISO 27001 Annex A 6.8: Information security event reporting

Home / ISO 27001 Templates / ISO 27001 Information Classification and Handling Policy Explained + Template

ISO 27001 Information Classification and Handling Policy Explained + Template

Last updated Oct 28, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO 27001 Information Classification and Handling Policy

The ISO 27001 Information Classification and Handling policy sets out the rules for categorising information and handling it based on that categorisation.

Table of contents

What is it?

Think of an ISO 27001 Information Classification and Handling Policy as a simple rulebook. It’s a set of guidelines that tells you and your team how to protect your company’s information. It helps you figure out what information is important, like customer data or trade secrets, and how to handle it safely. This policy makes sure that everyone knows the right way to use, store, and share information so it doesn’t get lost, stolen, or misused.

Applicability to Small Businesses, Tech Startups, and AI Companies

This policy is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.

  • Small Businesses: You might think a small business doesn’t need this, but you do! It helps you protect things like your customer lists and financial records, keeping your business running smoothly and building trust with your clients.
  • Tech Startups: For you, it’s all about protecting your cool ideas and new technology. This policy keeps your intellectual property and customer data safe, which is key for your growth and success.
  • AI Companies: You deal with tons of data, so this policy is a lifesaver. It helps you manage and protect the data you use to train your AI models, ensuring your technology is both secure and ethical.

ISO 27001 Information Classification and Handling Policy Template

The ISO 27001:2022 Information Classification and Handling Policy Template  is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.

ISO 27001 Information Classification and Handling Policy Template
Get the ISO 27001 Information Classification and Handling Policy Template

Why you need it

You need this policy to keep your company’s information safe. It helps you avoid things like data breaches, which can be expensive and hurt your reputation. Having this policy also shows your customers and partners that you take information security seriously, which can help you win new business. Plus, it’s a key part of getting and keeping your ISO 27001 certification.

When you need it

You should create this policy as soon as your business starts handling any kind of sensitive information. The sooner you have it, the better. It’s a good idea to have it in place before you go for your ISO 27001 certification, but even if you’re not planning on getting certified right away, it’s smart to have this policy ready to go.

Who needs it?

Everyone in your company needs to know about this policy. From the CEO to the newest intern, everyone plays a part in keeping information secure. You need to make sure everyone understands their role and follows the rules.

Where you need it

You need this policy everywhere you handle information. That means in your office, on your company computers, and even on your personal devices if you use them for work. It’s a company-wide rule that applies no matter where you are.

How to write it

Start by thinking about all the different types of information your company handles. Then, decide how important each type is. For example, your customer’s social security numbers are probably more important than a public press release. Once you’ve ranked your information, you can write the rules for how to handle each type. Keep the language simple and easy to understand.

How to implement it

First, make sure everyone reads and understands the policy. You can do this by holding a short training session or sending out a simple email. Then, you need to make sure you have the right tools in place. This might include things like password managers or secure file-sharing systems. Finally, you need to check in regularly to make sure everyone is still following the rules.

Examples of using it for small businesses

Let’s say you’re a small online store. Your policy would say that you must protect your customer’s credit card information. This means you would use a secure payment system and not save any card numbers on your computer. It would also say that you need to lock your computer when you leave your desk so no one can see your customer list.

Examples of using it for tech startups

If you’re a tech startup creating a new app, your policy would say that your app’s source code is super secret. It would say that only certain people can see it and that you can’t share it with anyone outside the company. It would also say that you need to use strong passwords on all your work accounts to keep your ideas safe.

Examples of using it for AI companies

As an AI company, your policy would say that the data you use to train your AI is very important. It would say that this data must be kept in a secure place and that you can’t use it for anything other than training your AI. This helps protect the privacy of the people in the data.

How the ISO 27001 toolkit can help

An ISO 27001 toolkit is like a shortcut. It gives you a bunch of pre-written documents, like policies and forms, that are already set up to meet the ISO 27001 standards. This saves you a lot of time and makes it easier to get your policy in place quickly.

ISO 27001 Toolkit
Get the Small Business ISO 27001 Toolkit >
ISO 27001 Toolkit Business Edition
ISO 27001 Toolkit Consultant Edition

Information security standards that need it

This policy is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:

  • CCPA (California Consumer Privacy Act)
  • DORA (Digital Operational Resilience Act)
  • NIS2 (Network and Information Security (NIS) Directive) 
  • SOC 2 (Service Organisation Control 2)
  • NIST (National Institute of Standards and Technology) 
  • HIPAA (Health Insurance Portability and Accountability Act)
  • GDPR (General Data Protection Regulation)

List of relevant ISO 27001:2022 controls

The ISO 27001:2022 standard has specific controls that relate to secure development. Some of the most important ones include:

ISO 27001 Information Classification and Handling Policy FAQ

What is information classification and handling policy?

A information and classification handling policy is a simple policy that sets out the levels of data classification and what you can and cannot do with the information of those types.

How many levels of data classification are there?

There as many levels of classification as are appropriate for the business. It is our recommendation to keep it simple and in most cases we would advise 3 levels of data classification being Confidential, Internal and Public.

We are the 3 levels of information classification?

The 3 levels of information classification that are the most common are Confidential, Internal and Public.

Where can I download an Information Classification Handling Policy template?

You can download a trusted Information Classification Handling Policy template from High Table: The ISO 27001 Company.

Do I need an information classification and handling policy for ISO 27001?

Yes. You need an information classification and handling policy for ISO 27001.

What is the purpose of the Information Classification & Handling policy?

The Information Classification and Handling Scheme provides guidance on the classification of information and the different levels of security required.

What is information classification in ISO 27001?

Information classification in ISO 27001 is the process of assessing data for its importance and sensitivity and assigning the level of protection that data should be given.

Who is responsible for classifying the data?

Data is assigned owners, called Data Owners, and it is the Data Owners that decide the data classification.

What is a data owner?

A data owner is the person that is responsible for the data. All data is assigned and owner.

What responsibilities does a data owner have?

A data owner decides on the data classification, the data retention, the level of protection, the data controls and is responsible for approving access to the data.

Is data classification required for GDPR?

Yes, data classification is required for GDPR.

Is data classification required for data protection?

Yes, data classification is required for data protection.

What are the benefits of data classification?

The main benefit of data classification is that it allows us to protect the data that is most important to us by prioritising our resources and control efforts.

Tags: ISO 27001 Policy Templates
ISO 27001 Toolkit Business Edition
ISO 27001 Toolkit: Business Edition
ISO 27001 Toolkit: Consultant Edition
Stuart Barker, ISO 27001 expert

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.