In this ultimate guide I show you everything you need to know about the ISO27001 Information Classification and Handling Policy. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO27001 certification. I show you exactly what changed in the ISO27001:2022 update.

I am Stuart Barker the ISO27001 Ninja and this is the ISO27001 Information Classification and Handling Policy.

What is Information Classification

When it comes to information security most people will start with classification. It is the easiest aspect to understand. We understand if something is confidential and we know what that implies. We don’t need training to work out that we do not want the whole world to know our confidential information or thoughts.

Our policy is going to set out our levels of classification. You can make it complex but I like the simplicity of Public, Internal and Confidential.

It will then layout what we can and cannot do with information of those types.

Information Classification is covered in the ISO27001 standard in ISO27001:2022 Annex A Control 5.12  Classification Of Information



ISO27001 Information Classification and Handling Policy

The ISO27001 Information Classification and Handling policy is ensuring the correct classification and handling of information based on its classification.

When looking the handling of information we consider

  • Information storage
  • backup
  • the type of media
  • destruction
  • the actual information classification.

For each classification it is good practice to provide information guidance is provided, GDPR considerations, Information Examples, Document Marking, Information Controls and Destruction.

Information Classification and Handling Policy Template

Wish there was a quicker way to complete your ISO27001 Information Classification and Handling Policy Template? There is. In fact, I’ve written it for you. (Thank me later!)

ISO 27001 Information Classification and Handling Policy Template

How to write an Information Classification and Handling Policy

If you are going to write the policy yourself then be sure to cover the following topics:

  • Document Version Control
  • Document Contents Page
  • Purpose
  • Scope
  • Information Classification and Handling Policy
  • Principle
  • Information Storage
  • Confidential Information Storage
  • Control of Devices and Media Containing Information
  • Information Back Up
  • Information Destruction
  • Destruction of Hard copy paper records
  • Destruction of Electronic Information
  • Destruction of Electronic media / devices
  • Information Classification
  • Confidential Information
  • Confidential Information Guidance
  • Confidential Information and GDPR
  • Confidential Information Examples
  • Confidential Information Document Marking
  • Confidential Information Controls
  • Confidential Information Destruction
  • Internal Information
  • Internal Information Guidance
  • Internal Information and GDPR
  • Internal Information Examples
  • Internal Information Document Marking
  • Internal Information Controls
  • Internal Information Destruction
  • Public Information
  • Public Information Guidance
  • Public Information and GDPR
  • Public Information Examples
  • Public Information Document Marking
  • Public Information Controls
  • Public Information Destruction
  • Policy Compliance
  • Compliance Measurement
  • Exceptions
  • Non-Compliance
  • Continual Improvement

ISO27001 Information Classification Summary Example

This this is a great ISO27001 information classification summary example. You can download the classification summary here.

ISO 27001 Information Classification Summary Template

Relevant ISO27001 Annex A Controls

The following are relevant ISO27001 Annex A controls:

ISO27001 Annex A 5.12 Classification Of Information

ISO27001 Annex A 8.10 Information Deletion

ISO27001 Information Classification FAQ

What is information classification and handling policy?

A information and classification handling policy is a simple policy that sets out the levels of data classification and what you can and cannot do with the information of those types.

How many levels of data classification are there?

There as many levels of classification as are appropriate for the business. It is our recommendation to keep it simple and in most cases we would advise 3 levels of data classification being Confidential, Internal and Public.

We are the 3 levels of information classification?

The 3 levels of information classification that are the most common are Confidential, Internal and Public.

Where can I download an Information Classification Handling Policy template?

You can download a trusted Information Classification Handling Policy template from High Table: The ISO27001 Company.

Do I need an information classification and handling policy for ISO27001?

Yes. You need an information classification and handling policy for ISO27001.

What is the purpose of the Information Classification & Handling policy?

The Information Classification and Handling Scheme provides guidance on the classification of information and the different levels of security required.

What is information classification in ISO27001?

Information classification in ISO27001 is the process of assessing data for its importance and sensitivity and assigning the level of protection that data should be given.

Who is responsible for classifying the data?

Data is assigned owners, called Data Owners, and it is the Data Owners that decide the data classification.

What is a data owner?

A data owner is the person that is responsible for the data. All data is assigned and owner.

What responsibilities does a data owner have?

A data owner decides on the data classification, the data retention, the level of protection, the data controls and is responsible for approving access to the data.

Is data classification required for GDPR?

Yes, data classification is required for GDPR.

Is data classification required for data protection?

Yes, data classification is required for data protection.

What are the benefits of data classification?

The main benefit of data classification is that it allows us to protect the data that is most important to us by prioritising our resources and control efforts.