In this ultimate how to audit guide to ISO 27001 Annex A 5.12 Classification of Information, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Classification Scheme Formally Defined
- 2. Handling Guidelines Explicitly Documented
- 3. Asset Register Classification Integration Verified
- 4. Visual Labelling Implementation Verified
- 5. Data Loss Prevention (DLP) Rules Active
- 6. Third-Party Mapping Agreements Validated
- 7. User Awareness of Classification Confirmed
- 8. De-classification Process Evidence Present
- 9. Legal & Regulatory Alignment Verified
- 10. Owner-Driven Classification Confirmed
Auditing ISO 27001 Annex A.5.12 is the validation of the classification scheme applied to information assets to ensure appropriate protection based on sensitivity. The audit confirms the Primary Implementation Requirement that data is labelled, handled, and protected according to its value and criticality. The Business Benefit is the prevention of unauthorized disclosure and the reduction of data leakage risks.
Use this pass/fail checklist to strictly validate compliance with ISO 27001 Annex A 5.12 (Classification of information). For a detailed methodology on how to conduct the interviews and system tests required to generate this evidence, refer to our Annex A 5.12 Audit Guide.
1. Classification Scheme Formally Defined
- Verification Criteria: A formal policy document exists that explicitly defines the organisation’s classification levels (e.g., Public, Internal, Confidential) and is approved by management.
- Required Evidence: The “Information Classification Policy” (Version Control Table showing approval within the last 12 months).
Pass/Fail Test: If the scheme relies on ad-hoc terms or unwritten “common knowledge” rather than a documented hierarchy, mark as Non-Compliant.
2. Handling Guidelines Explicitly Documented
- Verification Criteria: Each defined classification level has clear, written handling instructions covering storage, transmission, and destruction.
- Required Evidence: A “Handling Matrix” or “Data Handling Procedure” document that maps levels (e.g., “Confidential”) to technical requirements (e.g., “AES-256 Encryption required”).
Pass/Fail Test: If the policy defines “Top Secret” but fails to specify how to transmit it (e.g., “Do not email”), mark as Non-Compliant.
3. Asset Register Classification Integration Verified
- Verification Criteria: The Information Asset Inventory (Annex A 5.9) includes a mandatory column for “Classification Level” that is populated for all critical assets.
- Required Evidence: A distinct sample of the Master Asset Register showing “Classification” fields populated for 5 random information assets.
Pass/Fail Test: If the Asset Register lists hardware (laptops) but does not classify the data stored on them, mark as Non-Compliant.
