The ISO 27001 Information Classification and Handling policy sets out the rules for categorising information and handling it based on that categorisation.

What is it?
Applicability to Small Businesses, Tech Startups, and AI Companies
ISO 27001 Information Classification and Handling Policy Template
Why you need it
When you need it
Who needs it?
Where you need it
How to write it
How to implement it
Examples of using it for small businesses
Examples of using it for tech startups
Examples of using it for AI companies
How the ISO 27001 toolkit can help
Information security standards that need it
List of relevant ISO 27001:2022 controls
ISO 27001 Information Classification and Handling Policy FAQ

What is it?

Think of an ISO 27001 Information Classification and Handling Policy as a simple rulebook. It’s a set of guidelines that tells you and your team how to protect your company’s information. It helps you figure out what information is important, like customer data or trade secrets, and how to handle it safely. This policy makes sure that everyone knows the right way to use, store, and share information so it doesn’t get lost, stolen, or misused.

Applicability to Small Businesses, Tech Startups, and AI Companies

This policy is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.

Small Businesses: You might think a small business doesn’t need this, but you do! It helps you protect things like your customer lists and financial records, keeping your business running smoothly and building trust with your clients.
Tech Startups: For you, it’s all about protecting your cool ideas and new technology. This policy keeps your intellectual property and customer data safe, which is key for your growth and success.
AI Companies: You deal with tons of data, so this policy is a lifesaver. It helps you manage and protect the data you use to train your AI models, ensuring your technology is both secure and ethical.

ISO 27001 Information Classification and Handling Policy Template

The ISO 27001:2022 Information Classification and Handling Policy Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.

Why you need it

You need this policy to keep your company’s information safe. It helps you avoid things like data breaches, which can be expensive and hurt your reputation. Having this policy also shows your customers and partners that you take information security seriously, which can help you win new business. Plus, it’s a key part of getting and keeping your ISO 27001 certification.

When you need it

You should create this policy as soon as your business starts handling any kind of sensitive information. The sooner you have it, the better. It’s a good idea to have it in place before you go for your ISO 27001 certification, but even if you’re not planning on getting certified right away, it’s smart to have this policy ready to go.

Who needs it?

Everyone in your company needs to know about this policy. From the CEO to the newest intern, everyone plays a part in keeping information secure. You need to make sure everyone understands their role and follows the rules.

Where you need it

You need this policy everywhere you handle information. That means in your office, on your company computers, and even on your personal devices if you use them for work. It’s a company-wide rule that applies no matter where you are.

How to write it

Start by thinking about all the different types of information your company handles. Then, decide how important each type is. For example, your customer’s social security numbers are probably more important than a public press release. Once you’ve ranked your information, you can write the rules for how to handle each type. Keep the language simple and easy to understand.

How to implement it

First, make sure everyone reads and understands the policy. You can do this by holding a short training session or sending out a simple email. Then, you need to make sure you have the right tools in place. This might include things like password managers or secure file-sharing systems. Finally, you need to check in regularly to make sure everyone is still following the rules.

Examples of using it for small businesses

Let’s say you’re a small online store. Your policy would say that you must protect your customer’s credit card information. This means you would use a secure payment system and not save any card numbers on your computer. It would also say that you need to lock your computer when you leave your desk so no one can see your customer list.

Examples of using it for tech startups

If you’re a tech startup creating a new app, your policy would say that your app’s source code is super secret. It would say that only certain people can see it and that you can’t share it with anyone outside the company. It would also say that you need to use strong passwords on all your work accounts to keep your ideas safe.

Examples of using it for AI companies

As an AI company, your policy would say that the data you use to train your AI is very important. It would say that this data must be kept in a secure place and that you can’t use it for anything other than training your AI. This helps protect the privacy of the people in the data.

How the ISO 27001 toolkit can help

An ISO 27001 toolkit is like a shortcut. It gives you a bunch of pre-written documents, like policies and forms, that are already set up to meet the ISO 27001 standards. This saves you a lot of time and makes it easier to get your policy in place quickly.

Get the Small Business ISO 27001 Toolkit >

Information security standards that need it

This policy is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:

CCPA (California Consumer Privacy Act)
DORA (Digital Operational Resilience Act)
NIS2 (Network and Information Security (NIS) Directive)
SOC 2 (Service Organisation Control 2)
NIST (National Institute of Standards and Technology)
HIPAA (Health Insurance Portability and Accountability Act)
GDPR (General Data Protection Regulation)

List of relevant ISO 27001:2022 controls

The ISO 27001:2022 standard has specific controls that relate to secure development. Some of the most important ones include:

ISO 27001 Information Classification and Handling Policy FAQ

What is information classification and handling policy?

A information and classification handling policy is a simple policy that sets out the levels of data classification and what you can and cannot do with the information of those types.

How many levels of data classification are there?

There as many levels of classification as are appropriate for the business. It is our recommendation to keep it simple and in most cases we would advise 3 levels of data classification being Confidential, Internal and Public.

We are the 3 levels of information classification?

The 3 levels of information classification that are the most common are Confidential, Internal and Public.

Where can I download an Information Classification Handling Policy template?

You can download a trusted Information Classification Handling Policy template from High Table: The ISO 27001 Company.

Do I need an information classification and handling policy for ISO 27001?

Yes. You need an information classification and handling policy for ISO 27001.

What is the purpose of the Information Classification & Handling policy?

The Information Classification and Handling Scheme provides guidance on the classification of information and the different levels of security required.

What is information classification in ISO 27001?

Information classification in ISO 27001 is the process of assessing data for its importance and sensitivity and assigning the level of protection that data should be given.

Who is responsible for classifying the data?

Data is assigned owners, called Data Owners, and it is the Data Owners that decide the data classification.

What is a data owner?

A data owner is the person that is responsible for the data. All data is assigned and owner.

What responsibilities does a data owner have?

A data owner decides on the data classification, the data retention, the level of protection, the data controls and is responsible for approving access to the data.

Is data classification required for GDPR?

Yes, data classification is required for GDPR.

Is data classification required for data protection?

Yes, data classification is required for data protection.

What are the benefits of data classification?

The main benefit of data classification is that it allows us to protect the data that is most important to us by prioritising our resources and control efforts.

Tags: ISO 27001 Policy Templates

ISO 27001 Toolkit: Business Edition

ISO 27001 Toolkit: Consultant Edition

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001 Clauses

ISO 27001 Organisation Controls

ISO 27001 People Controls

ISO 27001 Information Classification and Handling Policy Explained + Template

Table of contents