Introduction: More Than Just Labels
Information classification is the foundation of a strong Information Security Management System (ISMS). It is defined in ISO 27001 Annex A 5.12 Classification of information. For any organisation with limited time, getting this right is the first step to success. It ensures all your later security efforts work well. If you get this wrong, many other critical controls will simply fall apart.
The core purpose of this control is to answer a simple question. “How do you decide what to protect and how much security to apply to it?” It provides a common-sense way to apply security based on real risk. This guide cuts through the noise. It gives you a simple framework and a practical checklist to ensure you are audit-ready. Tools like hightable.io can also help streamline this process. Effective classification lets you focus your efforts on protecting what truly matters.
Table of contents
- Introduction: More Than Just Labels
- Why Classification is Your Strategic Starting Line
- Building Your Scheme: The Power of Simplicity
- The 10-Point Audit-Ready Checklist for Annex A 5.12
- 1. Establish and Maintain a Formal Policy
- 2. Clearly Define Your Classification Scheme
- 3. Integrate Legal and Stakeholder Requirements
- 4. Maintain an Up-to-Date Asset Register
- 5. Assign Accountable Information Owners
- 6. Consistently Mark and Label Information
- 7. Communicate and Train on Handling Procedures
- 8. Manage Consistency Across and Between Organisations
- 9. Evidence a Process for Regular Review
- 10. Keep the Scheme Practical, Not Over-Complicated
- Conclusion: From Compliance Chore to Business Advantage
Why Classification is Your Strategic Starting Line
Before you dive into policies, you must understand the business value here. Annex A 5.12 is a preventative control. It ensures you apply security in proportion to the risk. It is the logic that stops you from treating a public brochure like a top-secret file. That would be a waste of budget and patience.
An effective scheme turns abstract goals into clear rules. Here are the benefits.
- Smart Resource Allocation: By sorting data, you can focus your best controls on your “crown jewels.” This includes strong encryption and tight access controls. This stops you from wasting money protecting data that does not need it.
- Consistency and Clarity: A clear scheme removes guesswork. It gives everyone a shared language. It tells every employee exactly how to handle information. They will know how to store it, share it, and destroy it. This is vital for a strong culture.
- Effective Risk Management: You cannot protect what you do not understand. Classification is the intelligence layer for your security. It is not a standalone task. It is needed for other controls. Without an asset register (Annex A 5.9), you have nothing to classify. Without a scheme, your access rules (Annex A 5.15) mean nothing. You cannot restrict access to confidential data if you have not defined what is confidential.
In short, effective classification creates a smart and efficient security posture.
Building Your Scheme: The Power of Simplicity
When you create a scheme, remember that ISO 27001 values results over complexity. A complex scheme is useless. If it confuses employees, they will ignore it. Then you are back to square one.
For most groups, a simple three-level scheme works best. It is easy to use and explain. You should build the scheme around one question. “What is the impact if this data leaks?”
| Classification Level | Definition: “What is the impact if this data leaks?” | Concrete Examples |
|---|---|---|
| Public | Disclosure poses little to no risk. Nobody would care if it was on the news. | Marketing materials, website content, press releases, job postings. |
| Internal | This is for the organisation only. A leak would cause minor damage or a headache. It would not be a disaster. | Internal process documents, drafts of memos, some meeting minutes. |
| Confidential | Exposure would cause major damage. This could be financial loss or breaking laws. This is where you spend the real money on security. | HR files, payroll data, source code, product designs, sensitive customer lists, health data. |
It is vital to note that ISO 27001 does not force you to use specific names. You can use terms like “Restricted” or “Secret” instead. Just ensure your scheme is clear and covers your risks. Practicality always wins.
The 2022 version of the standard shows a four-level scheme as an example. It is not a rule. Do not invent a fourth level unless it solves a real problem. With a clear scheme, you are ready to put it into practice.
The 10-Point Audit-Ready Checklist for Annex A 5.12
This section provides a practical, 10-point checklist. As an auditor, this covers the evidence I look for to pass your organisation on control 5.12. Use this to confirm you are ready.
1. Establish and Maintain a Formal Policy
As an auditor, the first thing I ask for is your policy. It is non-negotiable. I will check for a version number, approval, and a review within the last 12 months. If your policy is old with no proof of review, that is a problem. It tells me your system is just for show, not for real use.
2. Clearly Define Your Classification Scheme
Your policy must define your levels, such as Public or Confidential. You need to show me that you thought about the criteria for each level. Consider confidentiality, integrity, and availability. The policy must also list the handling rules for storing, sharing, and destroying data at each level.
3. Integrate Legal and Stakeholder Requirements
You must show that your scheme respects the law. For example, your policy must show that data with personal info under GDPR can never be “Public.” Special data like health records will almost always be “Confidential.”
4. Maintain an Up-to-Date Asset Register
Classification applies to your assets. I will ask for your current asset register. I will then pick assets from this list. I expect to see an owner and a classification level for each one. Using a platform like hightable.io can help keep this register accurate and accessible.
5. Assign Accountable Information Owners
Every asset must have an owner. This is usually a department head or the person who manages the data. This owner is responsible for assigning the right level. They must also review it often. Without ownership, there is no accountability.
6. Consistently Mark and Label Information
A policy is useless if you do not use it. I will look for physical proof that information is labelled. This could be a footer in a document or a metadata tag. It could also be a physical sticker. If assets are not marked based on the policy, it is a compliance gap.
7. Communicate and Train on Handling Procedures
Show me that staff have been trained. This could be part of onboarding or regular security training. You could also use a simple one-page summary. Employees need to understand the rules for each level.
8. Manage Consistency Across and Between Organisations
First, ensure all departments use the scheme the same way. Second, you must have a process for shared information. You need to map your levels to those of your suppliers or partners. This ensures data stays safe when it leaves your hands.
9. Evidence a Process for Regular Review
The value of information changes over time. Show that you review classifications at least once a year. You should also review them when a big change happens, like a project ending. This proves your system is alive and active.
10. Keep the Scheme Practical, Not Over-Complicated
Be ready to defend your scheme. A three-level system works for most groups. If I see a seven-level scheme, it is a warning sign. It suggests the system is too complex to be used well. It is likely failing in practice.
Conclusion: From Compliance Chore to Business Advantage
In the end, information classification is not just about ticking boxes. It is about using common sense. You sort your data based on its value. This helps you make smarter choices about where to invest your security resources.
A simple and consistent system is key. It protects what matters most without stopping business. Following these steps will help you pass your ISO 27001 audit. More importantly, it will help you build a safer and more efficient organisation.
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
