ISO27001 Information Classification and Handling Policy Beginner’s Guide

ISO27001 Information Classification And Handling Policy Beginner's Guide

In this article we lay bare ISO27001 Information Classification and Handling Policy. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO27001 certification. We show you exactly what changed in the ISO27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is the ISO27001 Information Classification and Handling Policy.

What is an Information Classification and Handling Policy

When it comes to information security most people will start with classification. It is the easiest aspect to understand. We understand if something is confidential and we know what that implies. We don’t need training to work out that we do not want the whole world to know our confidential information or thoughts.

Our policy is going to set out our levels of classification. You can make it complex but I like the simplicity of Public, Internal and Confidential.

It will then layout what we can and cannot do with information of those types.

ISO27001 Information Classification and Handling Policy-Black

Information Classification and Handling Policy Template

The information classification and handling policy template is a simple and effective way to set out the life cycle and management of the classification of data and how to handle it.

ISO 27001 Information Classification and Handling Policy

The ISO 27001 Information Classification and Handling policy is ensuring the correct classification and handling of information based on its classification. Information storage, backup, media, destruction and the information classifications are covered here. For each classification Information Guidance is provided, GDPR considerations, Information Examples, Document Marking, Information Controls and Destruction are covered.

How to write an Information Classification and Handling Policy

If you are going to write the policy yourself then be sure to cover the following topics:

  • Document Version Control
  • Document Contents Page
  • Purpose
  • Scope
  • Information Classification and Handling Policy
  • Principle
  • Information Storage
  • Confidential Information Storage
  • Control of Devices and Media Containing Information
  • Information Back Up
  • Information Destruction
  • Destruction of Hard copy paper records
  • Destruction of Electronic Information
  • Destruction of Electronic media / devices
  • Information Classification
  • Confidential Information
  • Confidential Information Guidance
  • Confidential Information and GDPR
  • Confidential Information Examples
  • Confidential Information Document Marking
  • Confidential Information Controls
  • Confidential Information Destruction
  • Internal Information
  • Internal Information Guidance
  • Internal Information and GDPR
  • Internal Information Examples
  • Internal Information Document Marking
  • Internal Information Controls
  • Internal Information Destruction
  • Public Information
  • Public Information Guidance
  • Public Information and GDPR
  • Public Information Examples
  • Public Information Document Marking
  • Public Information Controls
  • Public Information Destruction
  • Policy Compliance
  • Compliance Measurement
  • Exceptions
  • Non-Compliance
  • Continual Improvement

Data Classification FAQ

What is information classification and handling policy?

A information and classification handling policy is a simple policy that sets out the levels of data classification and what you can and cannot do with the information of those types.

How many levels of data classification are there?

There as many levels of classification as are appropriate for the business. It is our recommendation to keep it simple and in most cases we would advise 3 levels of data classification being Confidential, Internal and Public.

We are the 3 levels of information classification?

The 3 levels of information classification that are the most common are Confidential, Internal and Public.

Where can I download an Information Classification Handling Policy template?

You can download a trusted policy from High Table, at this link:

Do I need an information classification and handling policy for ISO 27001?

Yes. You need the policy for ISO 27001.

See Also


ISO/IEC 27001 Information Security Management

ISO 27001 Templates Toolkit Business Edition Black
ISO27001 Policy Templates Pack Green

FREE 30 minute ISO27001 strategy session.

Claim your 100% FREE no-obligation 30 minute strategy session call (£1000 value). This is strictly for small businesses who are hungry to get ISO27001 certified up to 10x faster and 30x cheaper.

ISO27001 Certification Stragey Call
Shopping Cart