In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.12 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 5.12 Classification of Information
ISO 27001 Annex A 5.12 requires organizations to classify information according to its security needs, based on confidentiality, integrity, availability, and the requirements of interested parties. With limited resources, it is impossible to apply the highest level of security to all data. This control ensures you apply protection proportionately based on risk. By categorizing your data (e.g., Public vs. Confidential), you can focus your security budget and efforts where they matter most—protecting your “Crown Jewels” while maintaining efficiency for non-sensitive data.
Core requirements for compliance include:
- Simple Classification Scheme: You must define a clear scheme for data levels. While the standard suggests up to four levels, most successful implementations use a simple 3-tier approach: Public, Internal, and Confidential.
- Assigned Information Owners: Every data set or information asset must have an assigned “Owner.” The owner is responsible for determining the classification level and ensuring the data is handled correctly throughout its life cycle.
- Consistency Across the Org: Classification must be a universal language. Whether it’s a paper document or a digital database, everyone in the company must classify and handle the same type of data in the same way.
- Visual or Meta-Labelling: Classified information should be clearly marked. This can be visual (e.g., a “Confidential” watermark) or technical (e.g., metadata tags used by Data Loss Prevention (DLP) software).
- Legal Alignment: Your scheme must account for legal and regulatory requirements (like GDPR). Personal data, for example, can almost never be classified as “Public.”
Audit Focus: Auditors will look for “The Marking Gap”:
- Direct Inspection: An auditor will point to a random internal report or email and ask: “What is the classification of this data, and how can I see that label?”
- Asset Register Link: They will check your Data Asset Register (A.5.9) to see if classification levels are documented for every entry.
- Staff Knowledge: They may ask an employee: “If you are sending a ‘Confidential’ document to a client, what extra steps must you take (e.g., encryption)?”
Information Classification Scheme (Audit Prep):
| Level | Definition | Example Data | Required Control |
| Public | Intended for public release. | Marketing brochures, Website. | None. |
| Internal | Employee-use only. | Org charts, Internal policies. | Password protection. |
| Confidential | Sensitive business/personal data. | Customer lists, Payroll, IP. | Encryption + MFA. |
| Secret | Critical to company survival. | M&A Strategy, Encryption keys. | Hardened access logs. |
Table of contents
- What is ISO 27001 Annex A 5.12?
- Watch the ISO 27001 Annex A 5.12 Tutorial
- ISO 27001 Annex A 5.12 Podcast
- Information Classification Scheme
- Example Classification Levels
- The 3 levels of information classification
- ISO 27001 Annex A 5.12 Implementation Guidance
- How to implement ISO 27001 Annex A 5.12
- Classification Scheme Definition
- ISO 27001 Templates
- How to comply
- How to pass the ISO 27001 Annex A 5.12 audit
- What the auditor will check
- Top 3 ISO 27001 Annex A 5.12 Mistakes People Make and How to Avoid Them
- Applicability of ISO 27001 Annex A 5.12 across different business models.
- Fast Track ISO 27001 Annex A 5.12 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 5.12 FAQ
- Further Reading
- ISO 27001 controls and attribute values
What is ISO 27001 Annex A 5.12?
Information classification is a way to categories different types of information in your organisation and apply the level of information security required based on the risk.
With limited resources it doesn’t make sense to apply the highest level of security to all data so we apply it proportionately based on risk and business need.
ISO 27001 Annex A 5.12 Classification of Information is an ISO 27001 control that requires that an organisation should classify information based on the needs of the organisation and relevant interest parities.
ISO 27001 Annex A 5.12 Purpose
The purpose of ISO 27001 Annex A 5.12 is to ensure the identification and understanding of the protection needs of information in accordance with its importance to the organisation.
ISO 27001 Annex A 5.12 Definition
The ISO 27001 standard defines ISO 27001 Annex A 5.12 as:
Information should be classified according to the information security needs of the organisation based on confidentiality, integrity, availability and relevant interested party requirements.
ISO 27001:2022 Annex A 5.12 Classification of Information
Watch the ISO 27001 Annex A 5.12 Tutorial
In the video ISO 27001 Annex A 5.12 Classification Of Information Explained show you how to implement it and how to pass the audit.
ISO 27001 Annex A 5.12 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.12 Classification Of Information. The podcast explores what it is, why it is important and the path to compliance.
Information Classification Scheme
You must decide on the information classification scheme that you will adopt.
The information classification scheme is the definition of the information classification levels and the rules that apply to those various levels.
It is used to guide your employees and people that work with you and explain to them is expected for handling and managing data.
Classification schemes can be as complicated or as simple as you want to make them. My advice would be to keep it simple.
Your starting point for deciding what classification scheme to adopt is to review the laws and regulations that relate to you and customer requirements that may contractually oblige you to have a certain scheme in place.
Example Classification Levels
The levels of classification are in the classification scheme.
If you have the benefit of defining your own classification scheme then three levels of information classification for smaller organisation I have found works well.
The 3 levels of information classification
The 3 level of information classification are:
Public
This is for documentation that poses little to no risk to you and that you don’t really need to protect. Examples include: marketing, website, promotional materials.
Internal
This is for documentation that’s specific to the organisation. If it became public it could cause some minor embarrassment and poses a medium risk to you. Examples include: Your process documentation, certain management reports, broad based internal communications.
Confidential
This is the highest level of classification. It it because public it could cause major embarrassment, cost you money, put your operations at risk, expose your intellectual property, violate laws and regulations. Examples include: HR data relating to individuals, payroll data, health data, intellectual property, bespoke and proprietary technical and systems information such as code, schematics and information security protections.
ISO 27001 Annex A 5.12 Implementation Guidance
You have options when it comes to classifying your information. The preferred option is to keep it as simple as possible. For the majority of people we would recommend a simple, 3 tier approach to information classification. As with all aspects of information security you must take into consideration the needs of your customers. Some customers, such as government departments, may have a classification scheme that they expect you to adopt and implement. If this is the case then follow their lead. For everyone else, keep it simple.
Key Points
- You need to understand the information and data that you have and then decide the protection to put in place proportionate and appropriate to that the value of the data.
- The approach has to be consistent across the organisation and remove personal judgment.
- The protections are to maintain information security being the confidentiality, integrity and availability of data.
- It does form one of the foundation blocks of building your information security management system, so take time getting this right and making it appropriate to you.
Write an information and classification handling policy
You need to write an information and classification handling policy. The policy should set out what your levels of classification are. It should address how you approach data protection in terms of the classification of data covered by data protection laws. The policy should lay out all of the expected controls per classification. The scope of the policy will cover the entire information life cycle.
Define the classification scheme
You’re working with the business to understand the needs of the business, operationalise the business and help the business move forward. Whether you choose a predefined classification scheme, have one imposed on you or write your own, you need to define your classification scheme. Examples are provided above and in the policy template.
The classification scheme has to take into account the confidentiality, integrity and availability requirements.
Base on business need
The needs of the business are paramount and classifications and controls should take into account those needs. Consider the sharing or restricting of information. The availability requirements for information and the protection of information integrity.
Meet Legal and Regulatory Requirements
Working with your legal team and referencing back to the work done on the legal register you are going to ensure that your classification scheme fully meets the requirements of the law and relevant regulators.
When you assess the legal and regulatory requirements and create your legal register you are considering the laws that apply to you that impact information security. Ensuring those legal requirements are considered and baked into your information classification scheme and controls. Legal requirements will always take a priority over your own classification.
Assign Information Owners
The owners of the information are responsible for the classification of the information. Information owners play a key role in information security and if you haven’t already assigned them then you should assign them now.
Review and update information classification
ISO 27001 is a standard based on continual improvement and as such the classification of data and the actual classification scheme should be reviewed and updated on a periodic basis.
Information changes over time in context, use, value. The classification of information should be regularly reviewed over time, at least annually and as significant changes occur.
Align to the topic specific policy requirement for access control
The standard explicitly calls out aligning to the topic specific policy requirement for access control. Access control is directly aligned to information classification.
Be consistent across the organisation
Everyone in the organisation should be consistent in following the information classification and applying it. Everyone classifies information in the same way. Everyone has a common understanding of the protection requirements and applies controls and protection in a common way.
Be consistent between organisations
Make sure that your classification scheme maps to that of third parties and customers. Your ability to map where relevant and applicable, to map your information classification scheme to that of other organisations.
As different organisations have different schemes and approaches you will need to put in place a mechanism to ensure consistency of the schemes used. This will be dependant on use and context but the idea is that you have in place an agreement on the interpretation of classification and classification levels.
In addition
- Put in place an information classification process that describes exactly what you do through the information management lifecycle
- Keep a data asset register up to date that shows who is allocated what asset and what level of classification the data is – which we covered in ISO 27001 Annex A 5.9 Inventory Of Information And Other Associated Assets Beginner’s Guide
- Follow best practice and your information classification policy for marking data with its classification. This can be visually on the data but also it can be in the meta data. You need to be able to identify the classification level of the information.
- Put in place controls appropriate to the level of information classification and based on the risk to the business.
- Communicate your information classification approach to employees. A great way to do this is with this simple one page information classification summary.
How to implement ISO 27001 Annex A 5.12
Implementing ISO 27001 Annex A 5.12 requires a transition from ad hoc data handling to a formalised, risk-based governance structure. By categorising information based on its value and legal sensitivity, organisations ensure that security controls are applied proportionally, protecting critical assets while maintaining operational efficiency. This action-orientated guide provides the technical and procedural steps necessary to establish a compliant classification framework that satisfies lead auditor requirements.
1. Formalise the Information Classification Policy
Establish a documented policy that defines the organisation’s classification hierarchy and handling rules. This action results in a standardised governance layer that dictates how every piece of data is treated throughout its lifecycle.
- Define a four-tier classification scheme (e.g. Public, Internal, Confidential, Secret) to provide clear granularity for risk management.
- Document specific handling requirements for each tier, including encryption standards for data at rest and in transit.
- Identify legal and regulatory drivers, such as GDPR or PCI-DSS, that mandate specific classification levels for Personal Identifiable Information (PII).
2. Provision an Information Asset Register (IAR)
Execute a comprehensive discovery phase to identify and log all information assets within the organisation. This result-focused step ensures that no “shadow data” exists outside the scope of the Information Security Management System (ISMS).
- Map information assets to specific “Information Owners” who are accountable for the asset’s classification and security.
- Categorise assets by format, including digital databases, physical documents, and cloud-hosted storage.
- Utilise automated discovery tools to scan local servers and cloud environments (SaaS/PaaS) for unclassified sensitive data.
3. Formalise Asset Ownership and Responsibility
Assign formal responsibility for classification decisions to designated Asset Owners. This action ensures that those with the most context regarding the data’s value are the ones determining its protective requirements.
- Establish “Rules of Engagement” (ROE) for Asset Owners regarding the review and reclassification of data.
- Mandate that owners approve access requests via Identity and Access Management (IAM) workflows based on classification levels.
- Integrate asset ownership into the employee onboarding and offboarding processes to prevent “orphaned” assets.
4. Implement Technical Handling and Storage Controls
Provision the technical safeguards required to protect information based on its assigned classification level. This results in the enforcement of the “Need to Know” principle through hard technical barriers.
- Enforce Multi-Factor Authentication (MFA) and granular IAM roles for all assets classified as Confidential or Secret.
- Configure Data Loss Prevention (DLP) rules to prevent the unauthorised transfer of highly classified data to external domains.
- Implement automated encryption for mobile devices and removable media used to store Internal or Confidential information.
5. Execute Periodic Classification Reviews and Audits
Establish a recurring review cycle to ensure that classification levels remain accurate as information ages or business contexts change. This action ensures that data is not over-protected (causing friction) or under-protected (creating risk).
- Conduct annual recertification of the Information Asset Register with all Asset Owners.
- Perform spot checks of digital repositories and physical workspaces to verify that information is correctly classified and handled.
- Review DLP incident logs to identify misclassification trends and adjust training or automated rules accordingly.
Classification Scheme Definition
| Level | Definition | Example | Impact of Leak | ISO 27001:2022 Control |
|---|---|---|---|---|
| Public | Information intended for public release. | Website content, Press releases. | None. | Annex A 5.12 |
| Internal | Information for employees only. | Policies, Intranet news, Org charts. | Low (Embarrassment). | Annex A 5.12 |
| Confidential | Sensitive business or personal data. | Customer lists, Contracts, Payroll. | High (Fines/Loss). | Annex A 5.12 / 5.34 |
| Secret | Critical data essential to survival. | Encryption keys, M&A Strategy. | Critical (Bankruptcy). | Annex A 5.12 / 8.24 |
ISO 27001 Templates
Having ISO 27001 templates can help fast track your ISO 27001 implementation. The ISO 27001 Toolkit is the ultimate resource for your ISO 27001 certification.
ISO 27001 Information Classification and Handling Policy Template
Download the ISO 27001 Information Classification and Handling Policy Template
ISO 27001 Information Classification Summary Template
Download the ISO 27001 Information Classification Summary Template
ISO 27001 Data Asset Register Template
Download the ISO 27001 Data Asset Register Template
How to comply
To comply with ISO 27001 Annex A 5.12 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to
- Decide on your information classification scheme
- Have a data asset register
- Assign owners to the data assets
- Have the data owners decide on the classification level of the information
- Put in place controls to protect the information that are based on the classification
How to pass the ISO 27001 Annex A 5.12 audit
To pass an audit of ISO 27001 Annex A 5.12 you are going to make sure that you have followed the steps above in how to comply.
What the auditor will check
The audit is going to check a number of areas. Lets go through them
1. That information classification has been defined
The audit will check you have a clearly defined your information classification scheme. It will want to see the levels of classification that you have adopted and what that means. The audit will review the types of information covered by each classification level. It will then check that the controls that are in place to protect information of each level are appropriate to that level. They will check that information is clearly marked with its level of classification.
2. There is an up to date asset register
The asset register will be checked to see that it meets the requirements of the standard and as a minimum that assets are allocated to owners. They will want to see that the owners have defined the level of classification and the level of classification is documented and communicated.
3. That data protection has been considered
Irrespective of where you are in the world, data protection laws and regulations will apply to you. To a greater or lesser degree. When defining your information classification levels be sure to include those data protection requirements. The main example of this is the classification of special category data as confidential. Any personal data will be expected to be protected and not be classified as public. Seek specialist help where required.
Top 3 ISO 27001 Annex A 5.12 Mistakes People Make and How to Avoid Them
The top 3 Mistakes People Make For ISO 27001 Annex A 5.12 are
1. Your information assets are not marked with classification
You have an information classification scheme but you have not marked up your information assets in a way that clearly and readily indicates its level of classification. If a document is a confidential document, have the word confidential on it. Consider the use of meta data.
2. Making the classification too complicated
It can be easy to get carried away and think you need many levels of classification. This is rarely the case. Keep it simple. The more simple, the easier to manage. Remember we are using classification to help us allocate our limited to resources to the protection of the things we care most about. Having crazy classification levels such as public, internal public, internal confidential, confidential secret, top secret rarely add any value. The admin to implement is just too much.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Applicability of ISO 27001 Annex A 5.12 across different business models.
| Business Type | Applicability & Interpretation | Examples of Control |
|---|---|---|
| Small Businesses |
Keep It Simple (3 Tiers). Don’t overcomplicate. Small businesses usually only need “Public” (Website), “Internal” (Business Process), and “Confidential” (Everything sensitive). “Secret” is rarely needed. |
• Simplified Scheme: Defining a policy that defaults everything to “Internal” unless stated otherwise, reducing the decision fatigue for staff. |
| Tech Startups |
Code & Secrets Classification. Your classification policy must explicitly cover code repositories. Is your code “Open Source” (Public) or “Proprietary” (Confidential)? Misclassification here leads to IP theft. |
• Repo Classification: Defining a rule that all repositories containing “Business Logic” are Confidential and cannot be made public without CTO sign-off. |
| AI Companies |
Data & Model Segmentation. You need a tiered approach for Data Lakes. “Raw Scraping Data” might be Internal, but “Fine-Tuning Datasets” (cleaned and annotated) are Confidential IP. |
• Model Weights: Classifying final model weights as Secret (the “Crown Jewels”), prohibiting them from ever leaving the production inference cluster. |
Fast Track ISO 27001 Annex A 5.12 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 5.12 (Classification of information), the requirement is to classify information based on its importance to the organization in terms of confidentiality, integrity, and availability. This ensures you apply security controls proportionately, protecting high-value data intensely while not wasting resources on public data.
| Compliance Factor | SaaS Compliance Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Policy Ownership | Rents access to your data levels; if you cancel the subscription, your documented classification standards and history vanish. | Permanent Assets: Fully editable Word/Excel Classification Policies and Definitions you own forever. | A localized “Information Classification Policy” defining unique levels like “Secret” or “Restricted” for the business. |
| Governance Utility | Attempts to “automate” classification via AI that cannot decide the true business value of a specific trade secret or strategy. | Governance-First: Provides the framework for information owners to make informed, risk-based classification decisions. | A “Classification Level Matrix” proving that high-value data assets are identified and assigned proportional security controls. |
| Cost Efficiency | Charges a “Data Volume Tax” based on the number of labeled assets, creating perpetual overhead as your data grows. | One-Off Fee: A single payment covers your classification governance for 100 assets or 1,000,000. | Allocating budget to actual Data Loss Prevention (DLP) tools rather than monthly “compliance dashboard” fees. |
| Strategic Freedom | Mandates rigid labeling formats that often fail to align with lean startup workflows or government-mandated schemes. | 100% Agnostic: Procedures adapt to any environment—from a simple 3-tier scheme to complex multi-layered structures. | The ability to evolve your data strategy (e.g., adding an “Export Controlled” level) without a rigid SaaS middleman. |
Own Your ISMS, Don’t Rent It
Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit
Summary: For Annex A 5.12, the auditor wants to see that you have a formal classification scheme and proof that information owners have applied it. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Annex A 5.12 FAQ
What is ISO 27001 Annex A 5.12?
ISO 27001 Annex A 5.12 is an organisational control that requires information to be categorised into different classification levels based on its sensitivity, legal requirements, and value.
- Provides a framework for identifying which data needs the most protection.
- Ensures that security resources are allocated proportionally to risk.
- Mandates that handling requirements are defined for each classification tier.
- Applies to all information assets, including digital files, physical documents, and databases.
What are the common levels of information classification?
Most organisations implement a four-tier scheme to ensure clarity and usability for staff across the business.
- Public: Information that can be disclosed without harm (e.g., marketing materials).
- Internal: Standard business data not intended for public release (e.g., internal memos).
- Confidential: Sensitive data that could cause damage if leaked (e.g., PII or customer contracts).
- Secret: Highly sensitive data that would cause critical harm (e.g., intellectual property or M&A plans).
Is a documented Information Classification Policy mandatory?
Yes, a formalised policy is required to satisfy the requirements of Annex A 5.12 and to provide a consistent standard for the ISMS.
- It must define the specific classification tiers used by the organisation.
- It should assign responsibility for classifying assets to the Information Owner.
- It must outline the specific handling and protection rules for each tier.
- It acts as a primary piece of evidence during an external certification audit.
Who is responsible for classifying information?
The Information Owner (or Asset Owner) is the individual responsible for determining the correct classification level for the assets they manage.
- They assess the potential impact of unauthorised disclosure or loss.
- They ensure that the classification remains accurate throughout the asset’s lifecycle.
- They are responsible for reviewing classification levels periodically.
- They determine who is authorised to access the classified information.
What is the difference between Annex A 5.12 and 5.13?
The primary difference is that Annex A 5.12 defines the sensitivity level (Classification), whereas Annex A 5.13 defines the visible markers used to communicate that level (Labelling).
- 5.12: The decision on the data’s value and risk.
- 5.13: The tactical application of tags, watermarks, or metadata.
- Classification (5.12) must always occur before labelling (5.13).
How does information classification assist with GDPR compliance?
Information classification acts as a foundational mapping exercise that helps organisations identify where Personal Identifiable Information (PII) resides.
- Identifies data that requires specific protection under the “Confidential” tier.
- Simplifies Subject Access Requests (SARs) by categorising personal data locations.
- Ensures appropriate encryption and storage for sensitive personal data.
- Assists in performing Data Protection Impact Assessments (DPIAs).
How often should classification levels be reviewed?
Classification levels should be reviewed at least annually or whenever a significant change occurs in the asset’s value or the organisation’s risk landscape.
- Ensures that data is not over-protected, which can hinder productivity.
- Identifies “classification creep” where data sensitivity has decreased over time.
- Confirms that Asset Owners are still relevant and current.
- Aligns with the internal audit cycle required by Clause 9.2.
Further Reading
How to Implement ISO 27001 Annex A 5.12: A Practical Guide to Information Classification
How to Audit Information Classification: A Practical Guide to ISO 27001 Annex A 5.12
The Ultimate 10-Point ISO 27001 Audit Checklist for Information Classification (Annex A 5.12)
Your 10-Point Checklist for Implementing ISO 27001 Information Classification (Annex A 5.12)
A Practical Guide for AI Companies to ISO 27001 Annex A 5.12: Mastering Information Classification
A Practical Guide for SMEs: Mastering ISO 27001 Annex A 5.12 Information Classification
A Tech Startup’s Practical Guide to ISO 27001 Annex A 5.12: Information Classification
ISO 27001 Information Classification and Handling Policy Beginner’s Guide
ISO 27001 Data Protection Policy Template
ISO 27001 controls and attribute values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Identify | Information Protection | Protection |
| Integrity | Defence | |||
| Availability |
