In this article we lay bare ISO27001 Information Classification and Handling Policy. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO27001 certification. We show you exactly what changed in the ISO27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is the ISO27001 Information Classification and Handling Policy.
What is an Information Classification and Handling Policy
When it comes to information security most people will start with classification. It is the easiest aspect to understand. We understand if something is confidential and we know what that implies. We don’t need training to work out that we do not want the whole world to know our confidential information or thoughts.
Our policy is going to set out our levels of classification. You can make it complex but I like the simplicity of Public, Internal and Confidential.
It will then layout what we can and cannot do with information of those types.
Information Classification and Handling Policy Template
The information classification and handling policy template is a simple and effective way to set out the life cycle and management of the classification of data and how to handle it.
ISO 27001 Information Classification and Handling Policy
The ISO 27001 Information Classification and Handling policy is ensuring the correct classification and handling of information based on its classification. Information storage, backup, media, destruction and the information classifications are covered here. For each classification Information Guidance is provided, GDPR considerations, Information Examples, Document Marking, Information Controls and Destruction are covered.
How to write an Information Classification and Handling Policy
If you are going to write the policy yourself then be sure to cover the following topics:
- Document Version Control
- Document Contents Page
- Purpose
- Scope
- Information Classification and Handling Policy
- Principle
- Information Storage
- Confidential Information Storage
- Control of Devices and Media Containing Information
- Information Back Up
- Information Destruction
- Destruction of Hard copy paper records
- Destruction of Electronic Information
- Destruction of Electronic media / devices
- Information Classification
- Confidential Information
- Confidential Information Guidance
- Confidential Information and GDPR
- Confidential Information Examples
- Confidential Information Document Marking
- Confidential Information Controls
- Confidential Information Destruction
- Internal Information
- Internal Information Guidance
- Internal Information and GDPR
- Internal Information Examples
- Internal Information Document Marking
- Internal Information Controls
- Internal Information Destruction
- Public Information
- Public Information Guidance
- Public Information and GDPR
- Public Information Examples
- Public Information Document Marking
- Public Information Controls
- Public Information Destruction
- Policy Compliance
- Compliance Measurement
- Exceptions
- Non-Compliance
- Continual Improvement
Data Classification FAQ
A information and classification handling policy is a simple policy that sets out the levels of data classification and what you can and cannot do with the information of those types.
There as many levels of classification as are appropriate for the business. It is our recommendation to keep it simple and in most cases we would advise 3 levels of data classification being Confidential, Internal and Public.
The 3 levels of information classification that are the most common are Confidential, Internal and Public.
You can download a trusted policy from High Table, at this link: https://hightable.io/product/information-classification-and-handling-policy-template/
Yes. You need the policy for ISO 27001.
See Also
- The Ultimate Reference Guide to ISO 27001 Policies
- Guaranteed ISO 27001 Certification up to 10x Faster and 30x Cheaper
- The Ultimate ISO 27001 TOOLKIT so you can do it yourself
- ISO 27001 Exposed: The facts you must know (Not knowing these could cost you $10,000s!)
- 25 Things You Must Know Before Going for ISO 27001 Certification (Number 3 will blow your mind!)