Table of contents
- ISO 27001 Information Classification
- Information Classification Scheme
- Example Classification Levels
- The 3 levels of information classification
- Implementation Guide
- Watch the Tutorial
- ISO 27001 Templates
- ISO 27001 Information Classification and Handling Policy Template
- ISO 27001 Information Classification Summary Template
- ISO 27001 Data Asset Register Template
- How to comply
- How to pass the audit
- What the auditor will check
- Top 3 Mistakes People Make
- ISO 27001 Classification of Information FAQ
- Further Reading
- ISO 27001 controls and attribute values
ISO 27001 Information Classification
Information classification is a way to categories different types of information in your organisation and apply the level of information security required based on the risk.
With limited resources it doesn’t make sense to apply the highest level of security to all data so we apply it proportionately based on risk and business need.
What is ISO 27001 Annex A 5.12?
ISO 27001 Annex A 5.12 Classification of Information is an ISO 27001 control that requires that an organisation should classify information based on the needs of the organisation and relevant interest parities.
ISO 27001 Annex A 5.12 Purpose
The purpose of ISO 27001 Annex A 5.12 is to ensure the identification and understanding of the protection needs of information in accordance with its importance to the organisation.
ISO 27001 Annex A 5.12 Definition
The ISO 27001 standard defines ISO 27001 Annex A 5.12 as:
Information should be classified according to the information security needs of the organisation based on confidentiality, integrity, availability and relevant interested party requirements.
ISO 27001:2022 Annex A 5.12 Classification of Information
Information Classification Scheme
You must decide on the information classification scheme that you will adopt.
The information classification scheme is the definition of the information classification levels and the rules that apply to those various levels.
It is used to guide your employees and people that work with you and explain to them is expected for handling and managing data.
Classification schemes can be as complicated or as simple as you want to make them. My advice would be to keep it simple.
Your starting point for deciding what classification scheme to adopt is to review the laws and regulations that relate to you and customer requirements that may contractually oblige you to have a certain scheme in place.
Example Classification Levels
The levels of classification are in the classification scheme.
If you have the benefit of defining your own classification scheme then three levels of information classification for smaller organisation I have found works well.
The 3 levels of information classification
The 3 level of information classification are:
Public
This is for documentation that poses little to no risk to you and that you don’t really need to protect. Examples include: marketing, website, promotional materials.
Internal
This is for documentation that’s specific to the organisation. If it became public it could cause some minor embarrassment and poses a medium risk to you. Examples include: Your process documentation, certain management reports, broad based internal communications.
Confidential
This is the highest level of classification. It it because public it could cause major embarrassment, cost you money, put your operations at risk, expose your intellectual property, violate laws and regulations. Examples include: HR data relating to individuals, payroll data, health data, intellectual property, bespoke and proprietary technical and systems information such as code, schematics and information security protections.
Implementation Guide
You have options when it comes to classifying your information. The preferred option is to keep it as simple as possible. For the majority of people we would recommend a simple, 3 tier approach to information classification. As with all aspects of information security you must take into consideration the needs of your customers. Some customers, such as government departments, may have a classification scheme that they expect you to adopt and implement. If this is the case then follow their lead. For everyone else, keep it simple.
Key Points
- You need to understand the information and data that you have and then decide the protection to put in place proportionate and appropriate to that the value of the data.
- The approach has to be consistent across the organisation and remove personal judgment.
- The protections are to maintain information security being the confidentiality, integrity and availability of data.
- It does form one of the foundation blocks of building your information security management system, so take time getting this right and making it appropriate to you.
Write an information and classification handling policy
You need to write an information and classification handling policy. The policy should set out what your levels of classification are. It should address how you approach data protection in terms of the classification of data covered by data protection laws. The policy should lay out all of the expected controls per classification. The scope of the policy will cover the entire information life cycle.
Define the classification scheme
You’re working with the business to understand the needs of the business, operationalise the business and help the business move forward. Whether you choose a predefined classification scheme, have one imposed on you or write your own, you need to define your classification scheme. Examples are provided above and in the policy template.
The classification scheme has to take into account the confidentiality, integrity and availability requirements.
Base on business need
The needs of the business are paramount and classifications and controls should take into account those needs. Consider the sharing or restricting of information. The availability requirements for information and the protection of information integrity.
Meet Legal and Regulatory Requirements
Working with your legal team and referencing back to the work done on the legal register you are going to ensure that your classification scheme fully meets the requirements of the law and relevant regulators.
When you assess the legal and regulatory requirements and create your legal register you are considering the laws that apply to you that impact information security. Ensuring those legal requirements are considered and baked into your information classification scheme and controls. Legal requirements will always take a priority over your own classification.
Assign Information Owners
The owners of the information are responsible for the classification of the information. Information owners play a key role in information security and if you haven’t already assigned them then you should assign them now.
Review and update information classification
ISO 27001 is a standard based on continual improvement and as such the classification of data and the actual classification scheme should be reviewed and updated on a periodic basis.
Information changes over time in context, use, value. The classification of information should be regularly reviewed over time, at least annually and as significant changes occur.
Align to the topic specific policy requirement for access control
The standard explicitly calls out aligning to the topic specific policy requirement for access control. Access control is directly aligned to information classification.
Be consistent across the organisation
Everyone in the organisation should be consistent in following the information classification and applying it. Everyone classifies information in the same way. Everyone has a common understanding of the protection requirements and applies controls and protection in a common way.
Be consistent between organisations
Make sure that your classification scheme maps to that of third parties and customers. Your ability to map where relevant and applicable, to map your information classification scheme to that of other organisations.
As different organisations have different schemes and approaches you will need to put in place a mechanism to ensure consistency of the schemes used. This will be dependant on use and context but the idea is that you have in place an agreement on the interpretation of classification and classification levels.
In addition
- Put in place an information classification process that describes exactly what you do through the information management lifecycle
- Keep a data asset register up to date that shows who is allocated what asset and what level of classification the data is – which we covered in ISO 27001 Annex A 5.9 Inventory Of Information And Other Associated Assets Beginner’s Guide
- Follow best practice and your information classification policy for marking data with its classification. This can be visually on the data but also it can be in the meta data. You need to be able to identify the classification level of the information.
- Put in place controls appropriate to the level of information classification and based on the risk to the business.
- Communicate your information classification approach to employees. A great way to do this is with this simple one page information classification summary.
Watch the Tutorial
In the video ISO 27001 Annex A 5.12 Classification Of Information Explained show you how to implement it and how to pass the audit.
ISO 27001 Templates
Having ISO 27001 templates can help fast track your ISO 27001 implementation. The ISO 27001 Toolkit is the ultimate resource for your ISO 27001 certification.
ISO 27001 Information Classification and Handling Policy Template
Download the ISO 27001 Information Classification and Handling Policy Template
ISO 27001 Information Classification Summary Template
Download the ISO 27001 Information Classification Summary Template
ISO 27001 Data Asset Register Template
Download the ISO 27001 Data Asset Register Template
How to comply
To comply with ISO 27001 Annex A 5.12 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to
- Decide on your information classification scheme
- Have a data asset register
- Assign owners to the data assets
- Have the data owners decide on the classification level of the information
- Put in place controls to protect the information that are based on the classification
How to pass the audit
To pass an audit of ISO 27001 Annex A 5.12 you are going to make sure that you have followed the steps above in how to comply.
What the auditor will check
The audit is going to check a number of areas. Lets go through them
1. That information classification has been defined
The audit will check you have a clearly defined your information classification scheme. It will want to see the levels of classification that you have adopted and what that means. The audit will review the types of information covered by each classification level. It will then check that the controls that are in place to protect information of each level are appropriate to that level. They will check that information is clearly marked with its level of classification.
2. There is an up to date asset register
The asset register will be checked to see that it meets the requirements of the standard and as a minimum that assets are allocated to owners. They will want to see that the owners have defined the level of classification and the level of classification is documented and communicated.
3. That data protection has been considered
Irrespective of where you are in the world, data protection laws and regulations will apply to you. To a greater or lesser degree. When defining your information classification levels be sure to include those data protection requirements. The main example of this is the classification of special category data as confidential. Any personal data will be expected to be protected and not be classified as public. Seek specialist help where required.
Top 3 Mistakes People Make
The top 3 Mistakes People Make For ISO 27001 Annex A 5.12 are
1. Your information assets are not marked with classification
You have an information classification scheme but you have not marked up your information assets in a way that clearly and readily indicates its level of classification. If a document is a confidential document, have the word confidential on it. Consider the use of meta data.
2. Making the classification too complicated
It can be easy to get carried away and think you need many levels of classification. This is rarely the case. Keep it simple. The more simple, the easier to manage. Remember we are using classification to help us allocate our limited to resources to the protection of the things we care most about. Having crazy classification levels such as public, internal public, internal confidential, confidential secret, top secret rarely add any value. The admin to implement is just too much.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
ISO 27001 Classification of Information FAQ
For ISO 27001 Annex A 5.12 Classification of Information you will need the ISO 27001 Information Classification and Handling Policy
ISO 27001 Annex A 5.12 Classification of Information is important because we want to protect what is most important to us. We want to put the right levels of controls around our information that do not stop us from doing our work. Putting in place the most sophisticated information security around a public facing marketing document that requires passwords and finger prints and biometrics before a customer can access it makes no sense. Common sense is key. In addition to this we have limited resources in both time and money. Spending those resources wisely to protect the things we hold most dear is sensible. The job of information security is the protection of confidentiality, integrity and availability of data it is not the job to of information security to stop people doing their job or telling them what is important to them. It is helping them protect what they think is important in a way that meets their needs in a pragmatic and thought out way.
The data asset owner / information owner is responsible for defining the classification level of the information.
No, you do not. The 4 levels of classification in ISO 27001 annex a 5.12 are explicitly stated as an example. The word example. And that it ‘can’ be based on the 4 levels. It is not the only way, or the required way, it is the example they give. For full reference the guidance is here:
a) Disclosure causes no harm;
b) Disclosure causes minor reputational damage or minor operational impact;
c) Disclosure has a significant short-term impact on operations or business objectives;
d) Disclosure has a serious impact on long term business objectives or puts the survival of the organisation at risk.
It is not a bad example. It is just another layer of complexity to manage. You then have to say what you mean by words like ‘minor’, ‘short-term’. Do what is right for you but do not over complicate it.
Yes, information should clearly display its level of classification. You can also consider the use of meta data and meta data tags.
Yes. Whilst the ISO 27001 Annex A clauses are for consideration to be included in your Statement of Applicability there is no reason we can think of that would allow you to exclude ISO 27001 Annex A 5.12 Classification of Information. Classifying data and information are a fundamental part of any information security defence and control. They are a fundamental part of any information security management system. They are explicitly required for ISO 27001.
Yes. You can write the policies for ISO 27001 Annex A 5.12 yourself. You will need a copy of the standard and approximately 3 days of time to do it. It would be advantageous to have a background in information security management systems. There are a number of documents you will require as well as the policy for role based access control. Alternatively you can download them from the ISO 27001 Toolkit.
ISO 27001 templates for ISO 27001 Annex A 5.12 are located in the ISO 27001 Toolkit.
ISO 27001 Annex A 5.12 is one of the harder aspects of information security to get right. It can take a lot of time if you are doing it yourself as there is a lot to consider. We recommend templates to fast track your implementation.
ISO 27001 Annex A 5.12 will take approximately 5 days to complete if you are starting from nothing and doing it yourself. With a ISO 27001 templates it should take you less than 1 day.
The cost of ISO 27001 Annex A 5.12 will depend how you go about it. If you do it yourself it will be free but will take you about 5 days so the cost is lost opportunity cost as you tie up resource doing something that can easily be downloaded.
The most common levels of information classification are public, internal and confidential
To spice things up the 2022 update added in another recommended level of classification by way of guidance. It is guidance only and the 4 levels of ISO 27001:2022 5.12 are
a) Disclosure causes no harm;
b) Disclosure causes minor reputational damage or minor operational impact;
c) Disclosure has a significant short-term impact on operations or business objectives;
d) Disclosure has a serious impact on long term business objectives or puts the survival of the organisation at risk.
Further Reading
ISO 27001 Template Documents Ultimate Guide
ISO 27001 Information Classification and Handling Policy Beginner’s Guide
ISO 27001 Data Protection Policy Template
ISO 27001 controls and attribute values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Identify | Information Protection | Protection |
| Integrity | Defence | |||
| Availability |
