ISO 27001 Information Classification and Handling Policy: Ultimate Guide

Home / ISO 27001 Templates / ISO 27001 Information Classification and Handling Policy: Ultimate Guide

Introduction

In this ultimate guide I show you everything you need to know about the ISO 27001 Information Classification and Handling Policy. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification. I show you exactly what changed in the ISO27001:2022 update.

I am Stuart Barker the ISO 27001 Ninja and this is the ISO 27001 Information Classification and Handling Policy.

What is Information Classification

When it comes to information security most people will start with classification. It is the easiest aspect to understand. We understand if something is confidential and we know what that implies. We don’t need training to work out that we do not want the whole world to know our confidential information or thoughts.

Our policy is going to set out our levels of classification. You can make it complex but I like the simplicity of Public, Internal and Confidential.

It will then layout what we can and cannot do with information of those types.

Information Classification is covered in the ISO 27001 standard in ISO27001:2022 Annex A Control 5.12  Classification Of Information

DO IT YOURSELF ISO27001

Stop Spanking £10,000’s on Consultants and Platforms

ISO 27001 Toolkit Business Edition

ISO 27001 Information Classification and Handling Policy

The ISO 27001 Information Classification and Handling policy is ensuring the correct classification and handling of information based on its classification.

When looking the handling of information we consider

  • Information storage
  • backup
  • the type of media
  • destruction
  • the actual information classification.

For each classification it is good practice to provide information guidance is provided, GDPR considerations, Information Examples, Document Marking, Information Controls and Destruction.

Information Classification and Handling Policy Template

Wish there was a quicker way to complete your ISO 27001 Information Classification and Handling Policy Template? There is. In fact, I’ve written it for you. (Thank me later!)

ISO 27001 Information Classification and Handling Policy Template

How to write an Information Classification and Handling Policy

If you are going to write the policy yourself then be sure to cover the following topics:

  • Document Version Control
  • Document Contents Page
  • Purpose
  • Scope
  • Information Classification and Handling Policy
  • Principle
  • Information Storage
  • Confidential Information Storage
  • Control of Devices and Media Containing Information
  • Information Back Up
  • Information Destruction
  • Destruction of Hard copy paper records
  • Destruction of Electronic Information
  • Destruction of Electronic media / devices
  • Information Classification
  • Confidential Information
  • Confidential Information Guidance
  • Confidential Information and GDPR
  • Confidential Information Examples
  • Confidential Information Document Marking
  • Confidential Information Controls
  • Confidential Information Destruction
  • Internal Information
  • Internal Information Guidance
  • Internal Information and GDPR
  • Internal Information Examples
  • Internal Information Document Marking
  • Internal Information Controls
  • Internal Information Destruction
  • Public Information
  • Public Information Guidance
  • Public Information and GDPR
  • Public Information Examples
  • Public Information Document Marking
  • Public Information Controls
  • Public Information Destruction
  • Policy Compliance
  • Compliance Measurement
  • Exceptions
  • Non-Compliance
  • Continual Improvement

ISO 27001 Information Classification Summary Example

This this is a great ISO 27001 information classification summary example. You can download the classification summary here.

ISO 27001 Information Classification Summary Template

Relevant ISO 27001 Annex A Controls

The following are relevant ISO 27001 Annex A controls:

ISO 27001 Annex A 5.12 Classification Of Information

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Information Classification FAQ

What is information classification and handling policy?

A information and classification handling policy is a simple policy that sets out the levels of data classification and what you can and cannot do with the information of those types.

How many levels of data classification are there?

There as many levels of classification as are appropriate for the business. It is our recommendation to keep it simple and in most cases we would advise 3 levels of data classification being Confidential, Internal and Public.

We are the 3 levels of information classification?

The 3 levels of information classification that are the most common are Confidential, Internal and Public.

Where can I download an Information Classification Handling Policy template?

You can download a trusted Information Classification Handling Policy template from High Table: The ISO 27001 Company.

Do I need an information classification and handling policy for ISO 27001?

Yes. You need an information classification and handling policy for ISO 27001.

What is the purpose of the Information Classification & Handling policy?

The Information Classification and Handling Scheme provides guidance on the classification of information and the different levels of security required.

What is information classification in ISO 27001?

Information classification in ISO 27001 is the process of assessing data for its importance and sensitivity and assigning the level of protection that data should be given.

Who is responsible for classifying the data?

Data is assigned owners, called Data Owners, and it is the Data Owners that decide the data classification.

What is a data owner?

A data owner is the person that is responsible for the data. All data is assigned and owner.

What responsibilities does a data owner have?

A data owner decides on the data classification, the data retention, the level of protection, the data controls and is responsible for approving access to the data.

Is data classification required for GDPR?

Yes, data classification is required for GDPR.

Is data classification required for data protection?

Yes, data classification is required for data protection.

What are the benefits of data classification?

The main benefit of data classification is that it allows us to protect the data that is most important to us by prioritising our resources and control efforts.

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing