ISO 27001 Annex A 5.12 Classification Of Information

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 5.12 Classification Of Information

ISO 27001 Information Classification

In this ultimate guide to ISO 27001 Annex A 5.12 Classification Of Information you will learn

  • What is ISO 27001 Data Classification
  • How to implement ISO 27001 information classification
  • Information classification examples

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

What is Classification of Information?

Information classification is a way to categories different types of information in your organisation and apply the level of information security required based on the risk.

With limited resources it doesn’t make sense to apply the highest level of security to all data so we apply it proportionately based on risk and business need.

What is ISO 27001 Annex A 5.12?

ISO 27001 Annex A 5.12 Classification of Information is an ISO 27001 Annex A control that requires that an organisation should classify information based on the needs of the organisation and relevant interest parities.

ISO 27001 Annex A 5.12 Purpose

The purpose of ISO 27001 Annex A 5.12 is to ensure the identification and understanding of the protection needs of information in accordance with its importance to the organisation.

ISO 27001 Annex A 5.12 Definition

The ISO 27001 standard defines ISO 27001 Annex A 5.12 as:

Information should be classified according to the information security needs of the organisation based on confidentiality, integrity, availability and relevant interested party requirements.

ISO 27001:2022 Annex A 5.12 Classification of Information
ISO 27001 Toolkit

Information Classification Scheme

You must decide on the information classification scheme that you will adopt.

The information classification scheme is the definition of the information classification levels and the rules that apply to those various levels.

It is used to guide your employees and people that work with you and explain to them is expected for handling and managing data.

Classification schemes can be as complicated or as simple as you want to make them. My advice would be to keep it simple.

Your starting point for deciding what classification scheme to adopt is to review the laws and regulations that relate to you and customer requirements that may contractually oblige you to have a certain scheme in place.

Example Classification Levels

The levels of classification are in the classification scheme.

If you have the benefit of defining your own classification scheme then three levels of information classification for smaller organisation I have found works well.

The 3 levels of information classification

The 3 level of information classification are:

Public

This is for documentation that poses little to no risk to you and that you don’t really need to protect. Examples include: marketing, website, promotional materials.

Internal

This is for documentation that’s specific to the organisation. If it became public it could cause some minor embarrassment and poses a medium risk to you. Examples include: Your process documentation, certain management reports, broad based internal communications.

Confidential

This is the highest level of classification. It it because public it could cause major embarrassment, cost you money, put your operations at risk, expose your intellectual property, violate laws and regulations. Examples include: HR data relating to individuals, payroll data, health data, intellectual property, bespoke and proprietary technical and systems information such as code, schematics and information security protections.

Implementation Guide

You have options when it comes to classifying your information. The preferred option is to keep it as simple as possible. For the majority of people we would recommend a simple, 3 tier approach to information classification. As with all aspects of information security you must take into consideration the needs of your customers. Some customers, such as government departments, may have a classification scheme that they expect you to adopt and implement. If this is the case then follow their lead. For everyone else, keep it simple.

Key Points

  • You need to understand the information and data that you have and then decide the protection to put in place proportionate and appropriate to that the value of the data.
  • The approach has to be consistent across the organisation and remove personal judgment.
  • The protections are to maintain information security being the confidentiality, integrity and availability of data.
  • It does form one of the foundation blocks of building your information security management system, so take time getting this right and making it appropriate to you.

Write an information and classification handling policy

You need to write an information and classification handling policy. The policy should set out what your levels of classification are. It should address how you approach data protection in terms of the classification of data covered by data protection laws. The policy should lay out all of the expected controls per classification. The scope of the policy will cover the entire information life cycle.

Define the classification scheme

You’re working with the business to understand the needs of the business, operationalise the business and help the business move forward. Whether you choose a predefined classification scheme, have one imposed on you or write your own, you need to define your classification scheme. Examples are provided above and in the policy template.

The classification scheme has to take into account the confidentiality, integrity and availability requirements.

Base on business need

The needs of the business are paramount and classifications and controls should take into account those needs. Consider the sharing or restricting of information. The availability requirements for information and the protection of information integrity.

Working with your legal team and referencing back to the work done on the legal register you are going to ensure that your classification scheme fully meets the requirements of the law and relevant regulators.

When you assess the legal and regulatory requirements and create your legal register you are considering the laws that apply to you that impact information security. Ensuring those legal requirements are considered and baked into your information classification scheme and controls. Legal requirements will always take a priority over your own classification.

Assign Information Owners

The owners of the information are responsible for the classification of the information. Information owners play a key role in information security and if you haven’t already assigned them then you should assign them now.

Review and update information classification

ISO 27001 is a standard based on continual improvement and as such the classification of data and the actual classification scheme should be reviewed and updated on a periodic basis.

Information changes over time in context, use, value. The classification of information should be regularly reviewed over time, at least annually and as significant changes occur.

Align to the topic specific policy requirement for access control

The standard explicitly calls out aligning to the topic specific policy requirement for access control. Access control is directly aligned to information classification.

Be consistent across the organisation

Everyone in the organisation should be consistent in following the information classification and applying it. Everyone classifies information in the same way. Everyone has a common understanding of the protection requirements and applies controls and protection in a common way.

Be consistent between organisations

Make sure that your classification scheme maps to that of third parties and customers. Your ability to map where relevant and applicable, to map your information classification scheme to that of other organisations.

As different organisations have different schemes and approaches you will need to put in place a mechanism to ensure consistency of the schemes used. This will be dependant on use and context but the idea is that you have in place an agreement on the interpretation of classification and classification levels.

In addition

  • Put in place an information classification process that describes exactly what you do through the information management lifecycle
  • Keep a data asset register up to date that shows who is allocated what asset and what level of classification the data is – which we covered in ISO 27001 Annex A 5.9 Inventory Of Information And Other Associated Assets Beginner’s Guide
  • Follow best practice and your information classification policy for marking data with its classification. This can be visually on the data but also it can be in the meta data. You need to be able to identify the classification level of the information.
  • Put in place controls appropriate to the level of information classification and based on the risk to the business.
  • Communicate your information classification approach to employees. A great way to do this is with this simple one page information classification summary.

Watch the Tutorial

Watch How to implement ISO 27001 Annex A 5.12 Classification Of Information

ISO 27001 Templates

Having ISO 27001 templates can help fast track your ISO 27001 implementation. The ISO 27001 Toolkit is the ultimate resource for your ISO 27001 certification.

ISO 27001 Information Classification and Handling Policy Template

Download the ISO 27001 Information Classification and Handling Policy Template

ISO27001 Information Classification and Handling Policy-Black

ISO 27001 Information Classification Summary Template

Download the ISO 27001 Information Classification Summary Template

ISO 27001 Information Classification Summary Template

ISO 27001 Data Asset Register Template

Download the ISO 27001 Data Asset Register Template

ISO27001 Data Asset Register Template

How to comply

To comply with ISO 27001 Annex A 5.12 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to

  • Decide on your information classification scheme
  • Have a data asset register
  • Assign owners to the data assets
  • Have the data owners decide on the classification level of the information
  • Put in place controls to protect the information that are based on the classification

How to pass the audit

To pass an audit of ISO 27001 Annex A 5.12 you are going to make sure that you have followed the steps above in how to comply.

What the auditor will check

The audit is going to check a number of areas. Lets go through them

1. That information classification has been defined

The audit will check you have a clearly defined your information classification scheme. It will want to see the levels of classification that you have adopted and what that means. The audit will review the types of information covered by each classification level. It will then check that the controls that are in place to protect information of each level are appropriate to that level. They will check that information is clearly marked with its level of classification.

2. There is an up to date asset register

The asset register will be checked to see that it meets the requirements of the standard and as a minimum that assets are allocated to owners. They will want to see that the owners have defined the level of classification and the level of classification is documented and communicated.

3. That data protection has been considered

Irrespective of where you are in the world, data protection laws and regulations will apply to you. To a greater or lesser degree. When defining your information classification levels be sure to include those data protection requirements. The main example of this is the classification of special category data as confidential. Any personal data will be expected to be protected and not be classified as public. Seek specialist help where required.

Top 3 Mistakes People Make

The top 3 Mistakes People Make For ISO 27001 Annex A 5.12 are

1. Your information assets are not marked with classification

You have an information classification scheme but you have not marked up your information assets in a way that clearly and readily indicates its level of classification. If a document is a confidential document, have the word confidential on it. Consider the use of meta data.

2. Making the classification too complicated

It can be easy to get carried away and think you need many levels of classification. This is rarely the case. Keep it simple. The more simple, the easier to manage. Remember we are using classification to help us allocate our limited to resources to the protection of the things we care most about. Having crazy classification levels such as public, internal public, internal confidential, confidential secret, top secret rarely add any value. The admin to implement is just too much.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

ISO 27001 Certification Strategy Session

ISO 27001 Classification of Information FAQ

What policies do I need for ISO 27001 Annex A 5.12 Classification of Information?

For ISO 27001 Annex A 5.12 Classification of Information you will need the ISO 27001 Information Classification and Handling Policy

Why is ISO 27001 Classification of Information Important?

ISO 27001 Annex A 5.12 Classification of Information is important because we want to protect what is most important to us. We want to put the right levels of controls around our information that do not stop us from doing our work. Putting in place the most sophisticated information security around a public facing marketing document that requires passwords and finger prints and biometrics before a customer can access it makes no sense. Common sense is key. In addition to this we have limited resources in both time and money. Spending those resources wisely to protect the things we hold most dear is sensible. The job of information security is the protection of confidentiality, integrity and availability of data it is not the job to of information security to stop people doing their job or telling them what is important to them. It is helping them protect what they think is important in a way that meets their needs in a pragmatic and thought out way.

How decides the classification level of information?

The data asset owner / information owner is responsible for defining the classification level of the information.

ISO 27001 sets out 4 levels of classification – so I need all 4 right?

No, you do not. The 4 levels of classification in ISO 27001 annex a 5.12 are explicitly stated as an example. The word example. And that it ‘can’ be based on the 4 levels. It is not the only way, or the required way, it is the example they give. For full reference the guidance is here:
a) Disclosure causes no harm;
b) Disclosure causes minor reputational damage or minor operational impact;
c) Disclosure has a significant short-term impact on operations or business objectives;
d) Disclosure has a serious impact on long term business objectives or puts the survival of the organisation at risk.
It is not a bad example. It is just another layer of complexity to manage. You then have to say what you mean by words like ‘minor’, ‘short-term’. Do what is right for you but do not over complicate it.

Do I need to mark up information with its level of classification?

Yes, information should clearly display its level of classification. You can also consider the use of meta data and meta data tags.

Do I have to satisfy ISO 27001 Annex A 5.12 Classification of Information for ISO 27001 Certification?

Yes. Whilst the ISO 27001 Annex A clauses are for consideration to be included in your Statement of Applicability there is no reason we can think of that would allow you to exclude ISO 27001 Annex A 5.12 Classification of Information. Classifying data and information are a fundamental part of any information security defence and control. They are a fundamental part of any information security management system. They are explicitly required for ISO 27001.

Can I write polices for ISO 27001 Annex A 5.12 Classification of Information myself?

Yes. You can write the policies for ISO 27001 Annex A 5.12 yourself. You will need a copy of the standard and approximately 3 days of time to do it. It would be advantageous to have a background in information security management systems. There are a number of documents you will require as well as the policy for role based access control. Alternatively you can download them from the ISO 27001 Toolkit.

Where can I get templates for ISO 27001 Annex A 5.12 Classification of Information?

ISO 27001 templates for ISO 27001 Annex A 5.12 are located in the ISO 27001 Toolkit.

How hard is ISO 27001 Annex A 5.12 Classification of Information?

ISO 27001 Annex A 5.12 is one of the harder aspects of information security to get right. It can take a lot of time if you are doing it yourself as there is a lot to consider. We recommend templates to fast track your implementation.

How long will ISO 27001 Annex A 5.12 Classification of Information take me?

ISO 27001 Annex A 5.12 will take approximately 5 days to complete if you are starting from nothing and doing it yourself. With a ISO 27001 templates it should take you less than 1 day.

How much will ISO 27001 Annex A 5.12 Classification of Information cost me?

The cost of ISO 27001 Annex A 5.12 will depend how you go about it. If you do it yourself it will be free but will take you about 5 days so the cost is lost opportunity cost as you tie up resource doing something that can easily be downloaded.

What are the 3 levels of information classification?

The most common levels of information classification are public, internal and confidential

What are the 4 levels of information classification recommended by ISO 27001 Annex A 5.12?
To spice things up the 2022 update added in another recommended level of classification by way of guidance. It is guidance only and the 4 levels of ISO 27001:2022 5.12 are

a) Disclosure causes no harm;
b) Disclosure causes minor reputational damage or minor operational impact;
c) Disclosure has a significant short-term impact on operations or business objectives;
d) Disclosure has a serious impact on long term business objectives or puts the survival of the organisation at risk.

ISO 27001 controls and attribute values

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
PreventiveConfidentialityIdentifyInformation ProtectionProtection
IntegrityDefence
Availability
Share to...