ISO 27001 Annex A 5.12 Classification Of Information

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 5.12 Classification Of Information

ISO 27001 Classification Of Information

In this ultimate guide to ISO 27001 Annex A 5.12 Classification Of Information you will learn

  • What is ISO 27001 Annex A 5.12
  • How to implement ISO 27001 Annex A 5.12

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

What is ISO 27001 Annex A 5.12?

ISO 27001 Annex A 5.12 Classification of Information is an ISO 27001 Annex A control that requires that an organisation should classify information based on the needs of the organisation and relevant interest parities.

Purpose

The purpose of ISO 27001 Annex A 5.12 is to ensure the identification and understanding of the protection needs of information in accordance with its importance to the organisation.

Definition

The ISO 27001 standard defines ISO 27001 Annex A 5.12 as:

Information should be classified according to the information security needs of the organisation based on confidentiality, integrity, availability and relevant interested party requirements.

ISO 27001:2022 Annex A 5.12 Classification of Information

Implementation Guide

You have options when it comes to classifying your information. The preferred option is to keep it as simple as possible. For the majority of people we would recommend a simple, 3 tier approach to information classification. As with all aspects of information security you must take into consideration the needs of your customers. Some customers, such as government departments, may have a classification scheme that they expect you to adopt and implement. If this is the case then follow their lead. For everyone else, keep it simple.

The 3 levels of information classification

The 3 level of information classification are:

Public

What is public information? Public information is information that has little to no value and can be widely shared. It is information that requires the least protection and can be shared with anyone. Examples of public information include sales materials, marketing, website, general announcements.

Internal

What is internal information? Internal information is information that could harm you if it was shared but it would not be the end of the world. Examples of internal information would be your business processes, communications aimed at employees, business updates.

Confidential

What is confidential information? Confidential information is information that could harm you if it was shared. It is information that is protected by laws or regulation. Examples of confidential information are information on personal details of customers and employees, payroll information, bespoke code, intellectual property.

Once you have defined your information classification levels you are going to implement them. To do this you are going to

Have an Information Classification and Handling Policy

Have an Information Classification and Handling Policy that clearly sets out your levels of information classification and exactly what must be done for each level of classification. This information classification policy template is an absolute life saver. Whilst always best practice the requirement for a topic specific policy became explicit in the 2022 update.

Have a classification scheme

The classification scheme has to take into account the confidentiality, integrity and availability requirements.

Base on business need

The needs of the business are paramount and classifications and controls should take into account those needs. Consider the sharing or restricting of information. The availability requirements for information and the protection of information integrity.

When you assess the legal and regulatory requirements and create your legal register you are considering the laws that apply to you that impact information security. Ensuring those legal requirements are considered and baked into your information classification scheme and controls. Legal requirements will always take a priority over your own classification.

Information Owners decide the classification

The owners of the information are responsible for the classification of the information.

Review and update information classification

Information changes over time in context, use, value. The classification of information should be regularly reviewed over time, at least annually and as significant changes occur.

Align to the topic specific policy requirement for access control

The standard explicitly calls out aligning to the topic specific policy requirement for access control. Access control is directly aligned to information classification.

Be consistent across the organisation

Everyone in the organisation should be consistent in following the information classification and applying it. Everyone classifies information in the same way. Everyone has a common understanding of the protection requirements and applies controls and protection in a common way.

Be Consistent between Organisations

As different organisations have different schemes and approaches you will need to put in place a mechanism to ensure consistency of the schemes used. This will be dependant on use and context but the idea is that you have in place an agreement on the interpretation of classification and classification levels.

In addition

  • Put in place an information classification process that describes exactly what you do through the information management lifecycle
  • Keep a data asset register up to date that shows who is allocated what asset and what level of classification the data is – which we covered in ISO 27001 Annex A 5.9 Inventory Of Information And Other Associated Assets Beginner’s Guide
  • Follow best practice and your information classification policy for marking data with its classification. This can be visually on the data but also it can be in the meta data. You need to be able to identify the classification level of the information.
  • Put in place controls appropriate to the level of information classification and based on the risk to the business.
  • Communicate your information classification approach to employees. A great way to do this is with this simple one page information classification summary.

Watch the Tutorial

Watch How to implement ISO 27001 Annex A 5.12 Classification Of Information

ISO 27001 Templates

These ISO 27001 Templates are designed specifically to save you time and effort. These ISO 27001 templates take over 25 years of experience and distill it in a pack of prewritten best practice awesomeness.

DO IT YOURSELF ISO 27001

All the templates, tools, support and knowledge you need to do it yourself.

How to comply

To comply with ISO 27001 Annex A 5.12 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to

  • Decide on your information classification scheme
  • Have a data asset register
  • Assign owners to the data assets
  • Have the data owners decide on the classification level of the information
  • Put in place controls to protect the information that are based on the classification

How to pass an audit

To pass an audit of ISO 27001 Annex A 5.12 you are going to make sure that you have followed the steps above in how to comply.

What the auditor will check

The audit is going to check a number of areas. Lets go through them

1. That information classification has been defined

The audit will check you have a clearly defined your information classification scheme. It will want to see the levels of classification that you have adopted and what that means. The audit will review the types of information covered by each classification level. It will then check that the controls that are in place to protect information of each level are appropriate to that level. They will check that information is clearly marked with its level of classification.

2. There is an up to date asset register

The asset register will be checked to see that it meets the requirements of the standard and as a minimum that assets are allocated to owners. They will want to see that the owners have defined the level of classification and the level of classification is documented and communicated.

3. That data protection has been considered

Irrespective of where you are in the world, data protection laws and regulations will apply to you. To a greater or lesser degree. When defining your information classification levels be sure to include those data protection requirements. The main example of this is the classification of special category data as confidential. Any personal data will be expected to be protected and not be classified as public. Seek specialist help where required.

Top 3 Mistakes People Make

The top 3 Mistakes People Make For ISO 27001 Annex A 5.12 are

1. Your information assets are not marked with classification

You have an information classification scheme but you have not marked up your information assets in a way that clearly and readily indicates its level of classification. If a document is a confidential document, have the word confidential on it. Consider the use of meta data.

2. Making the classification too complicated

It can be easy to get carried away and think you need many levels of classification. This is rarely the case. Keep it simple. The more simple, the easier to manage. Remember we are using classification to help us allocate our limited to resources to the protection of the things we care most about. Having crazy classification levels such as public, internal public, internal confidential, confidential secret, top secret rarely add any value. The admin to implement is just too much.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

FAQ

What policies do I need for ISO 27001 Annex A 5.12 Classification of Information?

For ISO 27001 Annex A 5.12 Classification of Information you will need the ISO 27001 Information Classification and Handling Policy

Why is ISO 27001 Classification of Information Important?

ISO 27001 Annex A 5.12 Classification of Information is important because we want to protect what is most important to us. We want to put the right levels of controls around our information that do not stop us from doing our work. Putting in place the most sophisticated information security around a public facing marketing document that requires passwords and finger prints and biometrics before a customer can access it makes no sense. Common sense is key. In addition to this we have limited resources in both time and money. Spending those resources wisely to protect the things we hold most dear is sensible. The job of information security is the protection of confidentiality, integrity and availability of data it is not the job to of information security to stop people doing their job or telling them what is important to them. It is helping them protect what they think is important in a way that meets their needs in a pragmatic and thought out way.

How decides the classification level of information?

The data asset owner / information owner is responsible for defining the classification level of the information.

ISO 27001 sets out 4 levels of classification – so I need all 4 right?

No, you do not. The 4 levels of classification in ISO 27001 annex a 5.12 are explicitly stated as an example. The word example. And that it ‘can’ be based on the 4 levels. It is not the only way, or the required way, it is the example they give. For full reference the guidance is here:
a) Disclosure causes no harm;
b) Disclosure causes minor reputational damage or minor operational impact;
c) Disclosure has a significant short-term impact on operations or business objectives;
d) Disclosure has a serious impact on long term business objectives or puts the survival of the organisation at risk.
It is not a bad example. It is just another layer of complexity to manage. You then have to say what you mean by words like ‘minor’, ‘short-term’. Do what is right for you but do not over complicate it.

Do I need to mark up information with its level of classification?

Yes, information should clearly display its level of classification. You can also consider the use of meta data and meta data tags.

Are there free templates for ISO 27001 Annex A 5.12?

There are templates for ISO 27001 Annex A 5.12 located in the ISO 27001 Toolkit.

ISO 27001 Annex A 5.12 sample PDF?

ISO 27001 Annex A 5.12 Sample PDF in the ISO 27001 Toolkit.

Do I have to satisfy ISO 27001 Annex A 5.12 for ISO 27001 Certification?

Yes. Whilst the ISO 27001 Annex A clauses are for consideration to be included in your Statement of Applicability there is no reason we can think of that would allow you to exclude ISO 27001 Annex A 5.12 Classification of Information. Classifying data and information are a fundamental part of any information security defence and control. They are a fundamental part of any information security management system. They are explicitly required for ISO 27001.

Can I write polices for ISO 27001 Annex A 5.12 myself?

Yes. You can write the policies for ISO 27001 Annex A 5.12 yourself. You will need a copy of the standard and approximately 3 days of time to do it. It would be advantageous to have a background in information security management systems. There are a number of documents you will require as well as the policy for role based access control. Alternatively you can download them from the ISO 27001 Toolkit.

Where can I get templates for ISO 27001 Annex A 5.12?

ISO 27001 templates for ISO 27001 Annex A 5.12 are located in the ISO 27001 Toolkit.

How hard is ISO 27001 Annex A 5.12?

ISO 27001 Annex A 5.12 is one of the harder aspects of information security to get right. It can take a lot of time if you are doing it yourself as there is a lot to consider. We recommend templates to fast track your implementation.

How long will ISO 27001 Annex A 5.12 take me?

ISO 27001 Annex A 5.12 will take approximately 5 days to complete if you are starting from nothing and doing it yourself. With an ISO 27001 Template Toolkit it should take you less than 1 day.

How much will ISO 27001 Annex A 5.12 cost me?

The cost of ISO 27001 Annex A 5.12 will depend how you go about it. If you do it yourself it will be free but will take you about 5 days so the cost is lost opportunity cost as you tie up resource doing something that can easily be downloaded. If you download an ISO 27001 Policy Template toolkit then you are looking at a couple of hundred pounds / dollars.

What are the 3 levels of information classification?

The most common levels of information classification are public, internal and confidential

What are the 4 levels of information classification recommended by ISO 27001 Annex A 5.12?
To spice things up the 2022 update added in another recommended level of classification by way of guidance. It is guidance only and the 4 levels of ISO 27001:2022 5.12 are

a) Disclosure causes no harm;
b) Disclosure causes minor reputational damage or minor operational impact;
c) Disclosure has a significant short-term impact on operations or business objectives;
d) Disclosure has a serious impact on long term business objectives or puts the survival of the organisation at risk.

ISO 27001 controls and attribute values

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
PreventiveConfidentialityIdentifyInformation ProtectionProtection
IntegrityDefence
Availability