ISO 27001 Classification of Information | Annex A 5.12 | The Lead Auditor’s Implementation and Audit Guide

ISO 27001 Annex A 5.12 Classification of Information is a security control that mandates organizations categorize data based on sensitivity and legal requirements. The primary objective is to implement a risk-based data classification scheme, ensuring the ultimate business benefit of allocating security resources proportionally to protect critical assets.

In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.12 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.12 Classification of Information

ISO 27001 Annex A 5.12 requires organizations to classify information according to its security needs, based on confidentiality, integrity, availability, and the requirements of interested parties. With limited resources, it is impossible to apply the highest level of security to all data. This control ensures you apply protection proportionately based on risk. By categorizing your data (e.g., Public vs. Confidential), you can focus your security budget and efforts where they matter most—protecting your “Crown Jewels” while maintaining efficiency for non-sensitive data.

Core requirements for compliance include:

• Simple Classification Scheme: You must define a clear scheme for data levels. While the standard suggests up to four levels, most successful implementations use a simple 3-tier approach: Public, Internal, and Confidential.
• Assigned Information Owners: Every data set or information asset must have an assigned “Owner.” The owner is responsible for determining the classification level and ensuring the data is handled correctly throughout its life cycle.
• Consistency Across the Org: Classification must be a universal language. Whether it’s a paper document or a digital database, everyone in the company must classify and handle the same type of data in the same way.
• Visual or Meta-Labelling: Classified information should be clearly marked. This can be visual (e.g., a “Confidential” watermark) or technical (e.g., metadata tags used by Data Loss Prevention (DLP) software).
• Legal Alignment: Your scheme must account for legal and regulatory requirements (like GDPR). Personal data, for example, can almost never be classified as “Public.”

Audit Focus: Auditors will look for “The Marking Gap”:

1. Direct Inspection: An auditor will point to a random internal report or email and ask: “What is the classification of this data, and how can I see that label?”
2. Asset Register Link: They will check your Data Asset Register (A.5.9) to see if classification levels are documented for every entry.
3. Staff Knowledge: They may ask an employee: “If you are sending a ‘Confidential’ document to a client, what extra steps must you take (e.g., encryption)?”

Information Classification Scheme (Audit Prep):

Level	Definition	Example Data	Required Control
Public	Intended for public release.	Marketing brochures, Website.	None.
Internal	Employee-use only.	Org charts, Internal policies.	Password protection.
Confidential	Sensitive business/personal data.	Customer lists, Payroll, IP.	Encryption + MFA.
Secret	Critical to company survival.	M&A Strategy, Encryption keys.	Hardened access logs.

What is ISO 27001 Annex A 5.12?

Information classification is a way to categories different types of information in your organisation and apply the level of information security required based on the risk.

With limited resources it doesn’t make sense to apply the highest level of security to all data so we apply it proportionately based on risk and business need.

ISO 27001 Annex A 5.12 Classification of Information is an ISO 27001 control that requires that an organisation should classify information based on the needs of the organisation and relevant interest parities.

ISO 27001 Annex A 5.12 Purpose

The purpose of ISO 27001 Annex A 5.12 is to ensure the identification and understanding of the protection needs of information in accordance with its importance to the organisation.

ISO 27001 Annex A 5.12 Definition

The ISO 27001 standard defines ISO 27001 Annex A 5.12 as:

Information should be classified according to the information security needs of the organisation based on confidentiality, integrity, availability and relevant interested party requirements.

ISO 27001:2022 Annex A 5.12 Classification of Information

Watch the ISO 27001 Annex A 5.12 Tutorial

In the video ISO 27001 Annex A 5.12 Classification Of Information Explained show you how to implement it and how to pass the audit.

ISO 27001 Annex A 5.12 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.12 Classification Of Information. The podcast explores what it is, why it is important and the path to compliance.

Information Classification Scheme

You must decide on the information classification scheme that you will adopt.

The information classification scheme is the definition of the information classification levels and the rules that apply to those various levels.

It is used to guide your employees and people that work with you and explain to them is expected for handling and managing data.

Classification schemes can be as complicated or as simple as you want to make them. My advice would be to keep it simple.

Your starting point for deciding what classification scheme to adopt is to review the laws and regulations that relate to you and customer requirements that may contractually oblige you to have a certain scheme in place.

Example Classification Levels

The levels of classification are in the classification scheme.

If you have the benefit of defining your own classification scheme then three levels of information classification for smaller organisation I have found works well.

The 3 levels of information classification

The 3 Levels of Information Classification in ISO 27001

Classification Level	Description	Examples
Public	This is for documentation that poses little to no risk to you and that you don’t really need to protect.	Marketing, website, promotional materials.
Internal	This is for documentation that’s specific to the organisation. If it became public it could cause some minor embarrassment and poses a medium risk to you.	Your process documentation, certain management reports, broad based internal communications.
Confidential	This is the highest level of classification. If it became public it could cause major embarrassment, cost you money, put your operations at risk, expose your intellectual property, violate laws and regulations.	HR data relating to individuals, payroll data, health data, intellectual property, bespoke and proprietary technical and systems information such as code, schematics and information security protections.

ISO 27001 Annex A 5.12 Implementation Guidance

You have options when it comes to classifying your information. The preferred option is to keep it as simple as possible. For the majority of people we would recommend a simple, 3 tier approach to information classification. As with all aspects of information security you must take into consideration the needs of your customers. Some customers, such as government departments, may have a classification scheme that they expect you to adopt and implement. If this is the case then follow their lead. For everyone else, keep it simple.

Key Points

• You need to understand the information and data that you have and then decide the protection to put in place proportionate and appropriate to that the value of the data.
• The approach has to be consistent across the organisation and remove personal judgment.
• The protections are to maintain information security being the confidentiality, integrity and availability of data.
• It does form one of the foundation blocks of building your information security management system, so take time getting this right and making it appropriate to you.

Write an information and classification handling policy

You need to write an information and classification handling policy. The policy should set out what your levels of classification are. It should address how you approach data protection in terms of the classification of data covered by data protection laws. The policy should lay out all of the expected controls per classification. The scope of the policy will cover the entire information life cycle.

Define the classification scheme

You’re working with the business to understand the needs of the business, operationalise the business and help the business move forward. Whether you choose a predefined classification scheme, have one imposed on you or write your own, you need to define your classification scheme. Examples are provided above and in the policy template.

The classification scheme has to take into account the confidentiality, integrity and availability requirements.

Base on business need

The needs of the business are paramount and classifications and controls should take into account those needs. Consider the sharing or restricting of information. The availability requirements for information and the protection of information integrity.

Meet Legal and Regulatory Requirements

Working with your legal team and referencing back to the work done on the legal register you are going to ensure that your classification scheme fully meets the requirements of the law and relevant regulators.

When you assess the legal and regulatory requirements and create your legal register you are considering the laws that apply to you that impact information security. Ensuring those legal requirements are considered and baked into your information classification scheme and controls. Legal requirements will always take a priority over your own classification.

Assign Information Owners

The owners of the information are responsible for the classification of the information. Information owners play a key role in information security and if you haven’t already assigned them then you should assign them now.

Review and update information classification

ISO 27001 is a standard based on continual improvement and as such the classification of data and the actual classification scheme should be reviewed and updated on a periodic basis.

Information changes over time in context, use, value. The classification of information should be regularly reviewed over time, at least annually and as significant changes occur.

Align to the topic specific policy requirement for access control

The standard explicitly calls out aligning to the topic specific policy requirement for access control. Access control is directly aligned to information classification.

Be consistent across the organisation

Everyone in the organisation should be consistent in following the information classification and applying it. Everyone classifies information in the same way. Everyone has a common understanding of the protection requirements and applies controls and protection in a common way.

Be consistent between organisations

Make sure that your classification scheme maps to that of third parties and customers. Your ability to map where relevant and applicable, to map your information classification scheme to that of other organisations.

As different organisations have different schemes and approaches you will need to put in place a mechanism to ensure consistency of the schemes used. This will be dependant on use and context but the idea is that you have in place an agreement on the interpretation of classification and classification levels.

In addition

• Put in place an information classification process that describes exactly what you do through the information management lifecycle
• Keep a data asset register up to date that shows who is allocated what asset and what level of classification the data is – which we covered in ISO 27001 Annex A 5.9 Inventory Of Information And Other Associated Assets Beginner’s Guide
• Follow best practice and your information classification policy for marking data with its classification. This can be visually on the data but also it can be in the meta data. You need to be able to identify the classification level of the information.
• Put in place controls appropriate to the level of information classification and based on the risk to the business.
• Communicate your information classification approach to employees. A great way to do this is with this simple one page information classification summary.

How to implement ISO 27001 Annex A 5.12

Implementing ISO 27001 Annex A 5.12 requires a transition from ad hoc data handling to a formalised, risk-based governance structure. By categorising information based on its value and legal sensitivity, organisations ensure that security controls are applied proportionally. This action-orientated guide provides the technical and procedural steps necessary to establish a compliant classification framework that satisfies lead auditor requirements.

1. Formalise the Information Classification Policy

• Define a clear classification scheme tailored to your business needs, such as a three-tier model: Public, Internal, and Confidential.
• Document the specific criteria for each level to remove ambiguity during data categorisation.
• Ensure the policy details the exact security controls expected for each tier throughout the entire information lifecycle.

2. Integrate Legal and Regulatory Requirements

• Map data protection laws, such as GDPR, directly to your classification tiers.
• Identify personal and special category data to ensure it is never classified as Public.
• Prioritise legal obligations over internal business preferences when applying security restrictions.

3. Assign Information Asset Owners

• Provision clear ownership for all critical data sets within your organisation.
• Delegate the responsibility of determining the correct classification level to these assigned owners.
• Mandate that owners oversee the secure handling of their assigned assets throughout the data lifecycle.

4. Deploy a Centralised Data Asset Register

• Deploy a comprehensive Data Asset Register to centralise your inventory of information assets.
• Record the assigned owner, classification level, and specific location for every documented asset.
• Update the register dynamically to reflect new assets or changes in data sensitivity.

5. Implement Visual and Metadata Labelling

• Implement visual markers, such as watermarks or headers, on physical and digital documents to clearly indicate their classification.
• Configure metadata labels within your digital files to support automated security tools.
• Integrate these labels with Data Loss Prevention (DLP) software to block unauthorised data exfiltration.

6. Align Access Control Mechanisms

• Configure Identity and Access Management (IAM) roles based on the principle of least privilege.
• Enforce Multi-Factor Authentication (MFA) for any system hosting Internal or Confidential information.
• Align your access control policy directly with your classification scheme to prevent unauthorised data exposure.

7. Establish Secure Data Handling Processes

• Formalise Rules of Engagement (ROE) documents for the creation, storage, transmission, and destruction of classified data.
• Enforce encryption protocols for data at rest and data in transit, specifically for highly sensitive information.
• Standardise secure disposal methods, such as cryptographic wiping or physical destruction, for end-of-life assets.

8. Synchronise Classification with Third Parties

• Audit the classification schemes of your suppliers, vendors, and clients to understand their data protection standards.
• Synchronise your internal classification levels with third-party frameworks to maintain consistent security across external boundaries.
• Draft formal agreements on the handling and interpretation of shared confidential data.

9. Execute Employee Awareness Training

• Execute mandatory security awareness training to educate staff on the new classification framework.
• Distribute a one-page information classification summary to all employees for quick, daily reference.
• Test employee comprehension regarding how to securely process and transmit classified documentation.

10. Audit and Review Classification Schemes

• Schedule periodic audits, at least annually, to review the effectiveness of your information classification scheme.
• Revoke outdated classifications and update the Data Asset Register to reflect changes in business context or risk.
• Remediate any non-conformities discovered during internal audits to ensure readiness for the formal ISO 27001 certification audit.

ISO 27001 Annex A 5.12 Implementation Checklist

ISO 27001 Annex A 5.12 Implementation Checklist

Checklist Item	What to Implement	Practical Examples
1. Governance Policy	Formalise an Information Classification Policy.	Define 3 tiers: Public, Internal, and Confidential.
2. Regulatory Mapping	Align tiers with legal requirements like GDPR or NIS2.	Map ‘Personal Data’ strictly to the ‘Confidential’ tier.
3. Asset Ownership	Assign a responsible ‘Owner’ to every data asset.	The HR Manager owns the Payroll Database.
4. Inventory Integration	Record classification levels in the Data Asset Register.	Column in Excel/GRC tool showing ‘Confidential’ for IP assets.
5. Labelling Scheme	Define visual and metadata marking rules.	‘CONFIDENTIAL’ headers on PDFs; metadata tags for DLP.
6. Access Alignment	Sync classification with Access Control (A.5.15).	MFA required for all ‘Confidential’ cloud repositories.
7. Handling Procedures	Create specific handling rules for each tier.	Mandatory encryption for ‘Confidential’ email attachments.
8. Third-Party Sync	Ensure classification consistency with suppliers.	Mapping Internal levels to a vendor’s ‘Restricted’ label.
9. Staff Training	Execute awareness training on data categorisation.	Simulated phishing or data handling workshops.
10. Periodic Review	Audit and update classification levels annually.	Re-classifying a completed project from Internal to Public.

How to audit ISO 27001 Annex A 5.12

As an ISO 27001 Lead Auditor, I expect to see hard evidence that your classification scheme is not just documented, but actively enforced across your entire organisation. Auditing Annex A 5.12 requires you to identify the gap between written policy and daily practice. This 10-step guide outlines exactly how to evaluate your information classification controls, inspect your asset registers, and verify your technical security configurations to guarantee a successful compliance audit.

1. Formalise the Audit Scope and Objectives

• Establish the exact boundaries of the classification audit to ensure all relevant departments and systems are reviewed.
• Identify the core physical and digital repositories that store critical business and customer data.
• Communicate the audit timetable and expected deliverables to department heads and assigned information owners.

2. Evaluate the Information Classification Policy

• Review the documented classification scheme to confirm it utilises a logical, tiered approach such as Public, Internal, and Confidential.
• Ensure the policy clearly defines the handling rules and mandated security controls for each specific tier.
• Verify that the policy has been formally approved by management and updated within the last 12 months.

3. Inspect the Centralised Data Asset Register

• Examine the Data Asset Register to verify that all critical information assets are accurately logged and categorised.
• Check that every listed asset has an explicitly assigned classification level that matches the approved policy scheme.
• Cross-reference a random sample of physical and digital assets against the register to confirm inventory accuracy.

4. Verify Information Asset Ownership

• Audit the assignment of information owners within the Data Asset Register to ensure no data is left orphaned.
• Interview selected asset owners to confirm they understand their responsibility for determining classification levels.
• Check that owners actively review and authorise access requests based on the designated classification of their assets.

5. Audit Legal and Data Protection Alignment

• Review the classification of assets containing Personally Identifiable Information (PII) to ensure compliance with GDPR and relevant privacy laws.
• Verify that special category data is strictly categorised as Confidential or higher, never as Public.
• Confirm that regulatory requirements dictate the minimum classification level applied to legally protected information.

6. Assess Visual and Metadata Labelling Practices

• Sample physical documents and internal reports to check for clear visual markers, such as headers or footers indicating classification.
• Inspect digital files to ensure metadata tagging aligns with the assigned classification level.
• Test automated systems, such as Data Loss Prevention (DLP) tools, to verify they correctly read and restrict files based on metadata labels.

7. Test Identity and Access Management Configurations

• Audit IAM roles to ensure user access is restricted based on the principle of least privilege and aligns with data classification.
• Verify that Multi-Factor Authentication (MFA) is strictly enforced for any system granting access to Confidential or highly sensitive data.
• Review system access logs to detect any unauthorised attempts to access restricted information tiers.

8. Review Secure Data Handling Procedures

• Evaluate the formal Rules of Engagement (ROE) governing how classified data is transmitted both internally and externally.
• Verify that strong encryption protocols are actively applied to Confidential data at rest and in transit.
• Audit the asset disposal logs to confirm sensitive information is destroyed using approved methods, such as cryptographic wiping.

9. Examine Employee Competence and Awareness

• Conduct brief interviews with a sample of employees to test their practical knowledge of the classification scheme.
• Ask staff to demonstrate how they would securely package and transmit a Confidential document to an external client.
• Review training records to ensure all personnel have completed recent awareness sessions on information classification.

10. Document Non-Conformities and Remediate

• Compile all audit findings into a formal report, explicitly detailing any misaligned classifications or missing labels.
• Categorise findings by severity to prioritise the remediation of critical vulnerabilities or compliance gaps.
• Assign corrective actions to the relevant asset owners and schedule a follow-up review to verify successful resolution.

ISO 27001 Annex A 5.12 Audit Checklist

ISO 27001 Annex A 5.12 Lead Auditor Audit Checklist

Audit Item	What the Auditor Checks	Evidence Examples	GRC Platform Check
1. Classification Scheme	Existence of a defined information classification scheme aligned with risk.	Information Classification Policy showing tiers (e.g. Public, Internal, Confidential).	Is the policy uploaded and linked to Annex A 5.12?
2. Asset Inventory Link	Consistency between the Data Asset Register and classification levels.	Sample of assets in the register with assigned classification levels.	Does the asset module have a mandatory ‘Classification’ field?
3. Information Ownership	Assignment of asset owners responsible for classification.	Asset Register column identifying owners for each data set.	Are owners assigned to every information asset record?
4. Marking and Labelling	Evidence that information is marked according to its classification.	Confidential watermarks on sensitive PDFs or email header tags.	Are labelling requirements documented in the GRC control description?
5. Handling Rules	Defined procedures for handling information at each classification level.	Handling matrix showing encryption requirements for ‘Confidential’ data.	Is the handling matrix attached as evidence to the control?
6. Staff Awareness	Employee understanding of the classification levels and their handling duties.	Interviews with staff or security awareness training completion records.	Are training logs for data classification uploaded to the platform?
7. Legal Compliance	Alignment with legal and regulatory requirements (e.g. GDPR/DORA).	Legal Register showing how PII is mapped to highest classification levels.	Is the Legal/Regulatory requirement linked to the classification policy?
8. Access Control Alignment	Access restrictions are proportionate to the classification level.	IAM role configurations restricting ‘Confidential’ folders to specific groups.	Are access review logs linked to high-classification assets?
9. Third-Party Sharing	Controls for classifying data shared with external partners.	NDAs or data processing agreements specifying handling rules for shared data.	Are vendor risk assessments checking the vendor’s classification ability?
10. Review Cycle	Evidence that classification levels are periodically reviewed.	Management review minutes or audit logs showing classification updates.	Is there a recurring task for ‘Annual Classification Review’?

Classification Scheme Definition

Level	Definition	Example	Impact of Leak	ISO 27001:2022 Control
Public	Information intended for public release.	Website content, Press releases.	None.	Annex A 5.12
Internal	Information for employees only.	Policies, Intranet news, Org charts.	Low (Embarrassment).	Annex A 5.12
Confidential	Sensitive business or personal data.	Customer lists, Contracts, Payroll.	High (Fines/Loss).	Annex A 5.12 / 5.34
Secret	Critical data essential to survival.	Encryption keys, M&A Strategy.	Critical (Bankruptcy).	Annex A 5.12 / 8.24

ISO 27001 Templates

Having ISO 27001 templates can help fast track your ISO 27001 implementation. The ISO 27001 Toolkit is the ultimate resource for your ISO 27001 certification.

ISO 27001 Information Classification and Handling Policy Template

Download the ISO 27001 Information Classification and Handling Policy Template

ISO 27001 Information Classification Summary Template

Download the ISO 27001 Information Classification Summary Template

ISO 27001 Data Asset Register Template

Download the ISO 27001 Data Asset Register Template

How to comply

To comply with ISO 27001 Annex A 5.12 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to

• Decide on your information classification scheme
• Have a data asset register
• Assign owners to the data assets
• Have the data owners decide on the classification level of the information
• Put in place controls to protect the information that are based on the classification

How to pass the ISO 27001 Annex A 5.12 audit

To pass an audit of ISO 27001 Annex A 5.12 you are going to make sure that you have followed the steps above in how to comply.

What the auditor will check

The audit is going to check a number of areas. Lets go through them

1. That information classification has been defined

The audit will check you have a clearly defined your information classification scheme. It will want to see the levels of classification that you have adopted and what that means. The audit will review the types of information covered by each classification level. It will then check that the controls that are in place to protect information of each level are appropriate to that level. They will check that information is clearly marked with its level of classification.

2. There is an up to date asset register

The asset register will be checked to see that it meets the requirements of the standard and as a minimum that assets are allocated to owners. They will want to see that the owners have defined the level of classification and the level of classification is documented and communicated.

3. That data protection has been considered

Irrespective of where you are in the world, data protection laws and regulations will apply to you. To a greater or lesser degree. When defining your information classification levels be sure to include those data protection requirements. The main example of this is the classification of special category data as confidential. Any personal data will be expected to be protected and not be classified as public. Seek specialist help where required.

Top 3 ISO 27001 Annex A 5.12 Mistakes People Make and How to Avoid Them

The top 3 Mistakes People Make For ISO 27001 Annex A 5.12 are

1. Your information assets are not marked with classification

You have an information classification scheme but you have not marked up your information assets in a way that clearly and readily indicates its level of classification. If a document is a confidential document, have the word confidential on it. Consider the use of meta data.

2. Making the classification too complicated

It can be easy to get carried away and think you need many levels of classification. This is rarely the case. Keep it simple. The more simple, the easier to manage. Remember we are using classification to help us allocate our limited to resources to the protection of the things we care most about. Having crazy classification levels such as public, internal public, internal confidential, confidential secret, top secret rarely add any value. The admin to implement is just too much.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Applicability of ISO 27001 Annex A 5.12 across different business models.

Business Type	Applicability & Interpretation	Examples of Control
Small Businesses	Keep It Simple (3 Tiers). Don’t overcomplicate. Small businesses usually only need “Public” (Website), “Internal” (Business Process), and “Confidential” (Everything sensitive). “Secret” is rarely needed.	• Simplified Scheme: Defining a policy that defaults everything to “Internal” unless stated otherwise, reducing the decision fatigue for staff. • GDPR Alignment: Automatically classifying anything containing customer names or emails as “Confidential” to meet data protection laws.
Tech Startups	Code & Secrets Classification. Your classification policy must explicitly cover code repositories. Is your code “Open Source” (Public) or “Proprietary” (Confidential)? Misclassification here leads to IP theft.	• Repo Classification: Defining a rule that all repositories containing “Business Logic” are Confidential and cannot be made public without CTO sign-off. • Env Variables: Classifying “Production API Keys” as Secret, requiring them to be stored in a vault (e.g., AWS Secrets Manager) rather than code.
AI Companies	Data & Model Segmentation. You need a tiered approach for Data Lakes. “Raw Scraping Data” might be Internal, but “Fine-Tuning Datasets” (cleaned and annotated) are Confidential IP.	• Model Weights: Classifying final model weights as Secret (the “Crown Jewels”), prohibiting them from ever leaving the production inference cluster. • Customer Inputs: Classifying user prompts sent to your API as Confidential, ensuring they are not inadvertently used for retraining if promised otherwise.

Fast Track ISO 27001 Annex A 5.12 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 5.12 (Classification of information), the requirement is to classify information based on its importance to the organization in terms of confidentiality, integrity, and availability. This ensures you apply security controls proportionately, protecting high-value data intensely while not wasting resources on public data.

Compliance Factor	SaaS Compliance Platforms	High Table ISO 27001 Toolkit	Audit Evidence Example
Policy Ownership	Rents access to your data levels; if you cancel the subscription, your documented classification standards and history vanish.	Permanent Assets: Fully editable Word/Excel Classification Policies and Definitions you own forever.	A localized “Information Classification Policy” defining unique levels like “Secret” or “Restricted” for the business.
Governance Utility	Attempts to “automate” classification via AI that cannot decide the true business value of a specific trade secret or strategy.	Governance-First: Provides the framework for information owners to make informed, risk-based classification decisions.	A “Classification Level Matrix” proving that high-value data assets are identified and assigned proportional security controls.
Cost Efficiency	Charges a “Data Volume Tax” based on the number of labeled assets, creating perpetual overhead as your data grows.	One-Off Fee: A single payment covers your classification governance for 100 assets or 1,000,000.	Allocating budget to actual Data Loss Prevention (DLP) tools rather than monthly “compliance dashboard” fees.
Strategic Freedom	Mandates rigid labeling formats that often fail to align with lean startup workflows or government-mandated schemes.	100% Agnostic: Procedures adapt to any environment—from a simple 3-tier scheme to complex multi-layered structures.	The ability to evolve your data strategy (e.g., adding an “Export Controlled” level) without a rigid SaaS middleman.

Summary: For Annex A 5.12, the auditor wants to see that you have a formal classification scheme and proof that information owners have applied it. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 5.12 Applicable Laws and Related Standards

As an ISO 27001 Lead Auditor, I frequently see organisations struggle to align their information classification efforts with wider regulatory requirements. Implementing a robust classification scheme under ISO 27001 Annex A 5.12 is not just a tick-box exercise for certification: it acts as the foundational compliance control across multiple global jurisdictions. The following mapping table demonstrates exactly how this control satisfies the strict data protection and asset management requirements of major international laws and cybersecurity frameworks.

Mapping ISO 27001 Annex A 5.12 to Global Compliance Standards and Regulations

Framework / Law	Applicable Domain / Section	How ISO 27001 Annex A 5.12 Maps to the Standard
NIST Cybersecurity Framework (CSF 2.0)	ID.AM (Asset Management), PR.DS (Data Security)	Annex A 5.12 satisfies the NIST requirement to categorise and prioritise data based on its criticality and business value. Classification ensures that data at rest and data in transit protections (PR.DS) are applied proportionately to the risk.
NIST SP 800-53 (Rev. 5)	RA-2 (Security Categorization), SC-28 (Protection of Information at Rest)	Directly maps to the requirement to categorise information and information systems in accordance with applicable laws, establishing the baseline for applying targeted security controls, such as encryption for Confidential data.
SOC 2 (Trust Services Criteria)	CC3.2 (Information Classification), CC6.1 (Logical Access Security)	SOC 2 strictly requires organisations to identify and classify confidential and sensitive information. Annex A 5.12 provides the framework to label this data, ensuring logical access controls (CC6.1) restrict access to authorised personnel only.
GDPR (EU and UK)	Article 32 (Security of Processing), Article 9 (Special Categories)	GDPR demands appropriate Technical and Organisational Measures (TOMs). Annex A 5.12 is critical here: identifying Personal Data and Special Category Data ensures it is classified as Confidential or higher, triggering mandatory encryption, strict access controls, and retention policies.
UK Data (Use and Access) Act 2025	Data Security and Information Governance	The UK evolution of GDPR maintains high security thresholds for personal data. A mature Annex A 5.12 classification scheme ensures organisations can efficiently segregate personal data from general business data, reducing administrative burdens while maintaining compliance with statutory security thresholds.
Cyber Security and Resilience Bill (UK)	Critical Asset Protection and Supply Chain Security	As the legislative answer to NIS2, this bill requires identifying crown jewel data and systems. Annex A 5.12 ensures that critical data managed by IT and Managed Service Providers (MSPs) is classified at the highest level, ensuring resilience controls are targeted effectively.
NIS2 Directive (EU)	Article 21 (Cybersecurity Risk-Management Measures)	NIS2 requires proportional risk management for essential and important entities. Annex A 5.12 allows entities to classify information assets to apply proportionate cryptography, access controls, and incident detection mechanisms.
DORA (Digital Operational Resilience Act, EU)	Article 8 (Protection and Prevention), ICT Asset Management	DORA requires financial entities to identify, classify, and adequately document all ICT-supported business functions and information assets. Annex A 5.12 provides the methodology to classify financial data and the systems that process it based on criticality.
Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA, USA)	Incident Triage and Mandatory 72-Hour Reporting	To comply with rapid reporting windows, organisations must instantly know if an incident affects critical data. Information classification allows security teams to immediately identify if breached systems house critical infrastructure data, triggering the 72-hour reporting requirement.
HIPAA (USA)	Security Rule (45 CFR 164.306), Privacy Rule	Annex A 5.12 maps directly to the requirement to identify Protected Health Information (PHI) and Electronic Protected Health Information (ePHI). Classifying ePHI as Confidential ensures the application of mandatory safeguards.
California Data Laws (CCPA / CPRA)	Consumer Privacy Rights, Data Minimisation	These laws require specific handling of Personal Information (PI) and Sensitive Personal Information (SPI). A classification scheme identifies these data types within the enterprise, ensuring they are subject to strict access controls and can be easily located for Data Subject Access Requests (DSARs).
EU Artificial Intelligence (AI) Act	Title III (High-Risk AI Systems), Data Governance	High-risk AI systems require high-quality, unbiased training data. Annex A 5.12 is used to classify AI training data sets, intellectual property, and model outputs, protecting them against data poisoning and ensuring sensitive personal data used in training is strictly governed.
AI Standards (ISO/IEC 42001)	AI System Impact Assessment, Data Lifecycle	ISO 42001 requires organisations to manage the risks associated with AI. Annex A 5.12 mandates that both the input data and output data generated by AI are classified according to confidentiality and intellectual property risks.
EU Product Liability Directive (PLD) Update	Software Liability and Cybersecurity Flaws	With strict liability extending to software providers, developers must classify software code, telemetry data, and vulnerability reports. Annex A 5.12 ensures proprietary code and unpatched vulnerability data are classified as Confidential to prevent exploits that could lead to liability claims.
ECCF (European Cybersecurity Certification Framework)	Assurance Levels (Basic, Substantial, High)	To achieve ECCF certification labels, vendors must demonstrate how they protect product data. Annex A 5.12 provides the required evidence that product telemetry, user data, and firmware updates are classified and handled according to the target assurance level.
PCI DSS (v4.0)	Requirement 3 (Protect Stored Account Data)	Annex A 5.12 directly supports PCI DSS by forcing organisations to classify Primary Account Numbers (PAN) and Sensitive Authentication Data (SAD) as highly restricted, ensuring they are isolated within the Cardholder Data Environment (CDE).

ISO 27001:2013 vs 2022: What Changed for Classification?

As promised, let me cut through the jargon and explain exactly what changed in the 2022 update. In the older ISO 27001:2013 standard, this requirement was found under Control 8.2.1. In the 2022 update, it was moved to Annex A 5.12.

The core concept remains exactly the same. You still need to classify your data. However, the 2022 update brings a sharper focus to two areas. First, it explicitly requires you to consider the requirements of “interested parties” like your clients, regulators, and partners. Second, auditors are now looking for a direct, unbroken link between your classification scheme and your topic-specific access control policy. If a document is marked Confidential, your access controls must mathematically prove that only authorized users can open it.

How to Measure Information Classification Success (KPIs)

You cannot manage what you do not measure. As an auditor, I want to see that your Information Security Management System (ISMS) is a living, breathing thing, not just a dusty folder on a shelf. To prove your classification scheme is working, you should track these practical Key Performance Indicators (KPIs):

• Asset Ownership Coverage: The percentage of information assets in your register with a formally assigned owner. Your target here must be 100%.
• Training Completion Rate: The percentage of staff who have completed information classification awareness training within the last 12 months.
• DLP Incident Triggers: The number of alerts generated by Data Loss Prevention tools flagging mislabeled or improperly shared data.
• Review Frequency: The date of the last formal review of your classification scheme to ensure it remains aligned with business changes.

Real-World Tooling and Automation

Writing a policy is one thing, but how do you actually enforce it without drowning your team in admin? For most businesses, native cloud tools can do the heavy lifting and automate compliance.

• Microsoft 365: Use Microsoft Purview Information Protection to apply sensitivity labels. You can force users to pick a label before saving a Word document.
• Google Workspace: Implement Google Drive Data Classification labels to tag files and set sharing boundaries automatically.
• Cloud Infrastructure: Use tools like AWS Macie to automatically discover and classify sensitive data sitting in your S3 buckets.

The Declassification Process

This is the step everyone forgets. Data does not stay confidential forever. Information loses its sensitivity over time. For example, a highly classified merger strategy becomes public knowledge the second the press release goes out.

Information owners must have a simple process to declassify or downgrade labels. If you treat everything as top secret forever, your security controls will choke your business operations and frustrate your staff. Keep the data lifecycle moving.

The Consequences of Getting It Wrong

What happens when you get this wrong? Let me share a scenario I see all too often. A junior developer writes a brilliant piece of proprietary source code. Because the company never trained the team on Annex A 5.12, the code is never formally classified as Confidential.

The developer inadvertently uploads that code to a public GitHub repository to work on it over the weekend. Because there are no metadata tags on the files, the company’s automated security tools completely ignore the transfer. The result is the loss of critical intellectual property, a massive breach of client trust, and a failed ISO 27001 audit. Classification is the foundation of your security. Get it right.

The Data Discovery Problem and Shadow IT

You cannot classify what you do not know exists. Before you can apply Annex A 5.12, you must conduct a ruthless data mapping exercise. I see companies write beautiful classification policies, but they completely ignore “Shadow IT” where employees use unsanctioned tools like personal Dropbox accounts or unauthorized AI writing assistants.

As an auditor, I will look for evidence that your classification scheme covers all data environments. You must use data discovery tools or conduct departmental interviews to find out where your staff actually store information. Once you find it, you bring it into the Data Asset Register and classify it.

Handling Unstructured Data

Databases and formal policies are easy to classify. Unstructured data is where most companies fail their audit. What happens when a developer pastes an API key into a Slack channel? How do you classify a photo of a whiteboard from a strategy meeting?

Your Information Classification Policy must explicitly address unstructured data. You need clear rules stating that platforms like Microsoft Teams or Slack are strictly classified as “Internal” environments, meaning “Confidential” or “Secret” data must never be pasted into a chat window. If you ignore unstructured data, you are leaving a massive gap in your compliance.

The Link to Clause 6.1.2 (Risk Assessment)

Let me give you a lead auditor secret. Annex A controls do not exist in a vacuum. Annex A 5.12 is directly tied to the mandatory requirements of Clause 6.1.2 Information security risk assessment.

When you conduct your risk assessment, you must determine the consequences of a breach. The classification level of your data gives you that answer instantly. A server holding “Public” data has a low risk score. A server holding “Confidential” customer data has a critical risk score. Your classification scheme is the mathematical foundation of your entire risk management process.

The Data Aggregation Effect

Here is an advanced concept that catches out many organizations during an audit: The Data Aggregation Effect. You might look at a single staff directory entry and classify it as “Internal.” It poses a very low risk. However, what happens when you export the entire directory containing 5,000 staff members, their direct dial numbers, and their building locations?

When data is aggregated, its value to an attacker increases massively. That single “Internal” spreadsheet is now a goldmine for social engineering and phishing attacks. Your Information Classification Policy must state that large aggregations of low-level data must be upgraded to a higher classification tier, such as “Confidential,” to ensure it receives appropriate encryption and access controls.

Incident Response Triage

Information classification is not just about preventing a data breach. It is the core tool you use to survive one. When the worst happens and a server is compromised, your security team does not have time to guess what data was lost.

If the compromised server only held “Public” marketing assets, your incident response team can handle it as a standard operational issue. If your Data Asset Register shows that server held “Confidential” personal data, your classification scheme immediately triggers your major incident process. It tells your legal team that the 72-hour GDPR reporting window has just started. Classification drives your incident triage.

Physical Information and the Clear Desk Policy

It is incredibly easy to get obsessed with metadata, cloud storage, and Data Loss Prevention software. Do not forget about the physical world. As an auditor, one of the first things I do is walk your office floor.

I am looking for printed financial reports left on shared printers. I am looking at whiteboards in meeting rooms that have not been wiped clean. I am checking if confidential waste bins are locked. Annex A 5.12 applies to physical information just as strictly as digital data. You must ensure your physical documents are stamped with visual classification labels and that your staff follow a strict Clear Desk and Clear Screen policy (Annex A 7.7).

ISO 27001 Annex A 5.12 FAQ

ISO 27001 Related Controls and Further Reading

Topic Cluster Mapping: ISO 27001 Annex A 5.12 Classification of Information

Related ISO 27001 Control	Auditor’s Relationship Context
Information Classification Policy Template	As an auditor, I look for the formal policy that dictates your classification scheme before I check anything else. This template provides the exact governance framework and tier definitions required to satisfy Annex A 5.12 directly out of the box.
Information Classification Summary Template	Annex A 5.12 requires your staff to actually understand your classification levels. This summary is the one-page cheat sheet I recommend distributing to employees to guarantee they know how to handle Confidential data on a daily basis without getting bogged down in policy documents.
Data Asset Register Template	This is the operational tool where your classification scheme lives. During an audit, I will ask to see your Data Asset Register to verify that every listed system, database, and physical file has an assigned owner and an appropriate Annex A 5.12 classification tier.
ISO 27001 Annex A 5.9 Inventory of Assets	You cannot classify what you do not know exists. Annex A 5.9 mandates the creation of the Data Asset Register, which serves as the foundational repository where your Annex A 5.12 classification levels are officially recorded, tracked, and managed.
ISO 27001 Annex A 5.13 Labelling of Information	Once you classify information under Annex A 5.12, you are strictly mandated to label it under Annex A 5.13. These two controls are audited back to back. If you classify a document as Confidential, I will immediately check for the physical watermark or digital metadata label.
ISO 27001 Annex A 5.14 Information Transfer	The rules for how you send and receive data are entirely dictated by its classification level. Annex A 5.14 ensures that data classified as highly sensitive under 5.12 is protected by robust encryption and secure handling rules during transit.
ISO 27001 Annex A 8.3 Information Access Restriction	Your technical access control mechanisms must align directly with your data categories. If Annex A 5.12 marks a database as Internal, Annex A 8.3 requires you to configure your Identity and Access Management (IAM) roles to strictly block public or unauthorised access.
ISO 27001 Annex A 5.10 Acceptable Use of Assets	Employees need to know what they can and cannot do with company data. The acceptable use rules governed by Annex A 5.10 are directly informed by the classification levels assigned in 5.12, ensuring staff treat Public data differently from strictly Confidential intellectual property.

• How to Implement ISO 27001 Annex A 5.12: A Practical Guide to Information Classification
• How to Audit Information Classification: A Practical Guide to ISO 27001 Annex A 5.12
• The Ultimate 10-Point ISO 27001 Audit Checklist for Information Classification (Annex A 5.12)
• Your 10-Point Checklist for Implementing ISO 27001 Information Classification (Annex A 5.12)
• A Practical Guide for AI Companies to ISO 27001 Annex A 5.12: Mastering Information Classification
• A Practical Guide for SMEs: Mastering ISO 27001 Annex A 5.12 Information Classification
• A Tech Startup’s Practical Guide to ISO 27001 Annex A 5.12: Information Classification
• ISO 27001 Information Classification and Handling Policy Beginner’s Guide
• ISO 27001 Data Protection Policy Template

ISO 27001 controls and attribute values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Confidentiality	Identify	Information Protection	Protection
	Integrity			Defence
	Availability

About the author