In this article I lay bare the ISO 27001 Information Classification and Handling Policy. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification.
I show you exactly what changed in the ISO 27001:2022 update.
I am Stuart Barker the ISO 27001 Ninja and this is the ISO 27001 Information Classification and Handling Policy.
Table of contents
- What is Information Classification
- ISO 27001 Information Classification and Handling Policy
- Information Classification and Handling Policy Template
- How to write an Information Classification and Handling Policy
- ISO 27001 Information Classification Summary Example
- Relevant ISO 27001 Annex A Controls
- ISO 27001 Information Classification FAQ
What is Information Classification
When it comes to information security most people will start with classification. It is the easiest aspect to understand. We understand if something is confidential and we know what that implies. We don’t need training to work out that we do not want the whole world to know our confidential information or thoughts.
Our policy is going to set out our levels of classification. You can make it complex but I like the simplicity of Public, Internal and Confidential.
It will then layout what we can and cannot do with information of those types.
Information Classification is covered in the ISO 27001 standard in ISO 27001:2022 Annex A Control 5.12 Classification Of Information
ISO 27001 Information Classification and Handling Policy
The ISO 27001 Information Classification and Handling policy is ensuring the correct classification and handling of information based on its classification.
When looking the handling of information we consider
- Information storage
- the type of media
- the actual information classification.
For each classification it is good practice to provide information guidance is provided, GDPR considerations, Information Examples, Document Marking, Information Controls and Destruction.
Information Classification and Handling Policy Template
Wish there was a quicker way to complete your ISO 27001 Information Classification and Handling Policy Template? There is. In fact, I’ve written it for you. (Thank me later!)
The Most Ruthlessly Effective and Aggressively Priced ISO 27001 Toolkit in the World.
Join over 1,500+ Empowered Consultants & Business Owners
How to write an Information Classification and Handling Policy
If you are going to write the policy yourself then be sure to cover the following topics:
- Document Version Control
- Document Contents Page
- Information Classification and Handling Policy
- Information Storage
- Confidential Information Storage
- Control of Devices and Media Containing Information
- Information Back Up
- Information Destruction
- Destruction of Hard copy paper records
- Destruction of Electronic Information
- Destruction of Electronic media / devices
- Information Classification
- Confidential Information
- Confidential Information Guidance
- Confidential Information and GDPR
- Confidential Information Examples
- Confidential Information Document Marking
- Confidential Information Controls
- Confidential Information Destruction
- Internal Information
- Internal Information Guidance
- Internal Information and GDPR
- Internal Information Examples
- Internal Information Document Marking
- Internal Information Controls
- Internal Information Destruction
- Public Information
- Public Information Guidance
- Public Information and GDPR
- Public Information Examples
- Public Information Document Marking
- Public Information Controls
- Public Information Destruction
- Policy Compliance
- Compliance Measurement
- Continual Improvement
ISO 27001 Information Classification Summary Example
This this is a great ISO 27001 information classification summary example. You can download the classification summary here.
Relevant ISO 27001 Annex A Controls
The following are relevant ISO 27001 Annex A controls:
ISO 27001 Information Classification FAQ
A information and classification handling policy is a simple policy that sets out the levels of data classification and what you can and cannot do with the information of those types.
There as many levels of classification as are appropriate for the business. It is our recommendation to keep it simple and in most cases we would advise 3 levels of data classification being Confidential, Internal and Public.
The 3 levels of information classification that are the most common are Confidential, Internal and Public.
You can download a trusted Information Classification Handling Policy template from High Table: The ISO 27001 Company.
Yes. You need an information classification and handling policy for ISO 27001.
The Information Classification and Handling Scheme provides guidance on the classification of information and the different levels of security required.
Information classification in ISO 27001 is the process of assessing data for its importance and sensitivity and assigning the level of protection that data should be given.
Data is assigned owners, called Data Owners, and it is the Data Owners that decide the data classification.
A data owner is the person that is responsible for the data. All data is assigned and owner.
A data owner decides on the data classification, the data retention, the level of protection, the data controls and is responsible for approving access to the data.
Yes, data classification is required for GDPR.
Yes, data classification is required for data protection.
The main benefit of data classification is that it allows us to protect the data that is most important to us by prioritising our resources and control efforts.