ISO 27001 Annex A 5.12 SME Guide: Information Classification

In this guide, I will show you exactly how small businesses and SMEs can implement ISO 27001 Annex A 5.12 Classification of information without the enterprise-level complexity. You will get a complete walkthrough of the control tailored for organizations with limited resources, along with practical examples and access to ISO 27001 templates that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience auditing businesses of all sizes. I will cut through the jargon to show you exactly what changed in the 2022 update and provide the plain-English advice you need to get your small business certified.

Key Takeaways: ISO 27001 Annex A 5.12 Classification of Information (SME Edition)

For Small and Medium-sized Enterprises (SMEs), ISO 27001 Annex A 5.12 is the strategic “intelligence layer” of your security program. It ensures you allocate your limited resources proportionally, applying robust security to critical assets without wasting time or money over-protecting public data. The goal is to move away from personal judgment and establish a simple, consistent set of rules that everyone in the company follows.

Core requirements for compliance include:

The “Keep It Simple” Scheme: While the standard offers complex examples, SMEs should adopt a 3-Level Classification Scheme (Public, Internal, Confidential). This minimizes decision fatigue and ensures staff actually use it.
Proportional Protection: The level of security must match the value of the data. “Fort Knox” security for a marketing brochure is a waste; unencrypted payroll data is a disaster.
Asset Inventory Link: You cannot classify what you don’t know. This control relies entirely on a complete Information Asset Register (Annex A 5.9).
Information Owners: Every data set (e.g., HR Files, Client Code) must have a designated “Owner” (usually a department head, not IT) who is responsible for assigning its classification.
Legal “Hard Floor”: Regardless of your internal preferences, data protection laws (like GDPR) set a minimum standard. Any data containing PII (Personally Identifiable Information) must never be classified as “Public.”

Audit Focus: Auditors will look for “The Consistency Check”:

Policy vs. Reality: “Your policy says ‘Confidential’ documents must be labeled. Show me a sample of HR files, are they actually labeled?”
The “Why” Test: “Why is this client list classified as ‘Internal’ rather than ‘Confidential’? Does this align with your definition of damage impact?”
Owner Awareness: “Who owns this financial data? Do they know they are responsible for its classification level?”

SME Classification Matrix:

This simplified 3-level model is auditor-approved and highly effective for smaller teams.

Level	Core Question (The Test)	Examples	Security Requirement
Public	“If this leaks, would anyone care?” (No impact).	Marketing brochures, Job posts, Press releases.	None / Integrity checks only.
Internal	“Would this cause embarrassment or operational pain?”	Internal memos, Meeting minutes, Draft policies.	Access restricted to staff only.
Confidential	“Would this cause financial loss, legal issues, or ruin our reputation?”	HR records, Payroll, PII, Source Code, Passwords.	Encryption, MFA, & Strict Need-to-Know.

What is ISO 27001 Annex A 5.12?
Translating the Standard into SME Business Sense
How Annex A 5.12 Connects to Your Entire ISMS
Designing Your Classification Scheme: The “Keep It Simple” Framework
ISO 27001 Annex A 5.12 Implementation Guide for SMEs
Passing Your ISO 27001 Annex A 5.12 Audit: Common SMEs Pitfalls and Auditor Expectations
- Top 3 Mistakes to Avoid
- What Your Auditor Wants to See
Fast Track ISO 27001 Annex A 5.12 Compliance for SMEs with the ISO 27001 Toolkit
ISO 27001 Annex A 5.12 FAQ for SMEs
Conclusion

What is ISO 27001 Annex A 5.12?

Annex A 5.12 is a preventative control designed to ensure you identify and understand the protection needs of your information based on its importance, legal requirements, criticality, and sensitivity. The standard itself puts it clearly:

“Information should be classified according to the information security needs of the organisation based on confidentiality, integrity, availability and relevant interested party requirements.”

That last part, “relevant interested party requirements,” is key. In the real world, this means your external stakeholders. This primarily includes regulators like data protection authorities and your customers, whose contracts may dictate how you handle their data.

Translating the Standard into SME Business Sense

For an SME, the core principle is proportional protection. You would not apply “Fort Knox level security” to a public marketing brochure. It would be a ridiculous waste of money and would slow your team down. Likewise, leaving unencrypted payroll data on an open server would be catastrophic. Information classification provides an internal prioritisation system that removes personal judgment and ensures everyone handles data consistently.

As one expert puts it, “protecting everything equally… means protecting nothing effectively.” By creating clear categories, you empower your employees to make smart, consistent security decisions without guesswork. This ensures your most critical assets get the robust protection they need.

How Annex A 5.12 Connects to Your Entire ISMS

Information classification is not a standalone activity. It is a foundational control that directly enables other critical security measures within your ISMS.

It is a prerequisite for creating effective access control policies (Annex A 5.15). You cannot restrict access to confidential data if you have not first identified what data is confidential.
It provides the logic for the practical act of labelling information (Annex A 5.13), which is how employees know what classification a document or file has.
It relies on having a complete ‘Inventory of information’ (Annex A 5.9). You must know what information you have before you can classify it.

Understanding this control’s strategic importance is the first step. The next is designing the practical tool to implement it: your classification scheme.

Designing Your Classification Scheme: The “Keep It Simple” Framework

Your classification scheme is the practical “rule book” for employees. Its effectiveness hinges entirely on its simplicity and usability. An overly complicated scheme is a useless one. It creates decision fatigue, encourages people to either ignore it or classify everything at the highest level “just in case,” and ultimately defeats the control’s purpose.

The Recommended 3-Level Scheme for SMEs

For most SMEs, a simple, three-level classification scheme is the most effective starting point. It is easy to understand, memorable, and covers the vast majority of business use cases. The scheme is built around answering one core question for every piece of data.

Level	Core Question: “What’s the impact if this data leaks?”	Practical Examples
Public	Disclosure poses little to no risk. No one would care if it was on the front page of the news.	Marketing materials, website content, press releases, job postings.
Internal	Disclosure would cause minor damage, some embarrassment, or an operational headache, but the business moves on.	Internal process documents, drafts of internal memos, some meeting minutes.
Confidential	Disclosure would cause catastrophic damage: major financial loss, breaking major laws (like GDPR), or exposing intellectual property.	HR files, unencrypted payroll data, proprietary source code, sensitive customer databases, health data.

What About the ISO 27001:2022 Four-Level Example?

The 2022 version of the standard provides an example of a four-level scheme based on the following impact levels:

a) Disclosure causes no harm.
b) Disclosure causes minor reputational damage or minor operational impact.
c) Disclosure has a significant short-term impact on operations or business objectives.
d) Disclosure has a serious impact on long-term business objectives or risks the organisation’s survival.

While sensible, this scheme can introduce “additional complexity” for an SME by forcing you to define ambiguous terms like ‘minor’ vs ‘major’ and ‘short-term’ vs ‘long-term’. It is crucial to remember that the standard does not mandate this scheme. The goal is effectiveness, not blindly following a template.

A Quick Note on Naming

Does ISO care what you call these levels? Not at all. As one auditor put it, you could “call it Bob for all they care.”

What is critical is that you:

Clearly define your chosen scheme.
Ensure it addresses your specific business and legal risks.
Apply the corresponding security controls consistently.

With a simple, well-defined scheme in hand, you can move on to the concrete actions required for implementation.

ISO 27001 Annex A 5.12 Implementation Guide for SMEs

Putting Annex A 5.12 into practice involves a series of clear, mandatory actions. This section serves as an actionable checklist to guide you through the entire process, ensuring you cover all the requirements for a successful audit.

Step 1: Write the Cornerstone Policy

Your first action is to create a formal ‘Information Classification and Handling Policy’. This is the foundational document that an auditor will ask to see. It must officially define your classification levels, specify the handling rules and security controls for each level, and describe how classification applies across the entire information lifecycle, from creation to secure destruction.

Step 2: Define and Base the Scheme on Business Needs

Within the policy, your classification scheme must be formally defined. This definition must demonstrate that you have considered the ‘CIA triad’ (confidentiality, integrity, and availability) for your information. Crucially, the scheme must be based on the paramount needs of the business, not on an “academic exercise.” It should enable your operations, not hinder them.

Step 3: Integrate Legal and Customer Requirements

You must consult your organisation’s legal register and customer contracts and incorporate their requirements into your scheme. Legal obligations, particularly data protection laws like GDPR, create a “hard floor” for classification that you cannot ignore. This leads to two non-negotiable rules:

Any data containing Personally Identifiable Information (PII) can never be classified as ‘Public’. If something is public it means no special handling, so any data with personally identifiable information (PII) can never be classified as public. It must be at least ‘Internal’.
Special category data (e.g., health data, biometrics) will almost always have to be classified as ‘Confidential’ due to its high sensitivity and the severe legal penalties for a breach.

Step 4: Assign Information Owners for Accountability

The standard requires that every information asset has an assigned ‘Information Owner’. This is typically the department head or manager who creates or is responsible for the data (e.g., the Head of HR owns HR files). This owner, not the IT team, is responsible for classifying their information. Assigning owners is crucial for establishing clear accountability.

A common problem is owners over-classifying everything to be safe; this is best managed through crystal-clear policy definitions and training. You can then have a business discussion about it: if they over-classify, they are wasting company resources.

Step 5: Maintain Consistency Internally and Externally

The classification scheme must be applied consistently across all departments, from HR to Finance to Marketing. The 2022 standard update also introduced a new requirement for consistency between organisations. When you share information with partners or suppliers, you must have a way to map your classification scheme to theirs. This ensures that when your ‘Confidential’ data is sent to a partner, it is treated with the same level of protection, even if they call it ‘Restricted’. Your confidential needs to mean the same as their restricted.

Step 6: Review and Update Annually

Information classification is not a one-time task. You are required to review your classification scheme and the classifications of your information at least once a year, or whenever a significant business change occurs. The value, importance, and sensitivity of data can change over time, and your classifications must be updated to reflect this reality.

Following these steps will build a robust system, but the final test is the audit itself.

Passing Your ISO 27001 Annex A 5.12 Audit: Common SMEs Pitfalls and Auditor Expectations

Let’s be tactical. We want you to pass your audit. By understanding the most common mistakes and knowing exactly what an auditor will look for, you can turn the audit from a stressful event into a straightforward validation of your hard work. This section is your practical cheat sheet for audit success.

Top 3 Mistakes to Avoid

Auditors see the same simple mistakes repeatedly. Avoiding them is one of the easiest ways to ensure a smooth audit.

Lack of Marking: This is a major compliance gap an auditor will spot in minutes. It occurs when a company defines a beautiful classification scheme in a policy but fails to actually label its information assets. If information is not marked, an employee has no idea how to handle a given file. They should not have to look up a policy; the label should tell them what to do.
Over-Complication: This is the primary failure for this control. Creating too many classification levels (e.g., six or seven) inevitably leads to confusion, decision fatigue, and inconsistent application. Employees will either ignore the scheme or default to the highest level, which brings you back to the problem of trying to protect everything and therefore protecting nothing effectively. One auditor recalled a firm with seven levels that “spent more time arguing about the names than actually protecting the data.”
Document Control Errors: This is a guaranteed audit fail. The auditor will check your ‘Information Classification and Handling Policy’ itself. They will look for a version number, proof of formal approval, and evidence that the document has been reviewed within the last 12 months. An outdated policy is an instant nonconformity.

What Your Auditor Wants to See

An auditor’s job is to verify that your ISMS is defined, implemented, and maintained. For Annex A 5.12, they will look for three key pieces of evidence.

A Clearly Defined Scheme: The first thing an auditor will do is read your policy. They will check that your classification levels are clearly defined and that the security controls you have associated with each level are logical and appropriate for your organisation’s specific risks.
An Up-to-Date Data Asset Register: Next, the auditor will ask for your data asset register (from Annex A 5.9). They will select a few sample assets from the list and verify that each one has a designated owner and a documented classification level, proving that the scheme has been implemented.
Proof of Data Protection Consideration: Finally, the auditor will review your policy and asset register together. They will specifically look for assets containing Personally Identifiable Information (PII) to verify that they are classified appropriately, typically as ‘Internal’ or ‘Confidential’, but never as ‘Public’.

Even with this knowledge, some specific questions often arise during implementation.

Fast Track ISO 27001 Annex A 5.12 Compliance for SMEs with the ISO 27001 Toolkit

For Small Businesses and SMEs, ISO 27001 Annex A 5.12 (Classification of information) is the strategic starting point for your entire security program. It’s the control that helps you decide what to protect and critically how much security to apply. Protecting everything equally means protecting nothing effectively. You need a scheme that ensures your most valuable assets get the strongest protection without wasting resources on public data.

While SaaS compliance platforms often try to sell you “automated data discovery” or complex “classification workflows,” they cannot actually decide if a specific draft memo is “Internal” or “Confidential” for your unique business culture, those are human governance tasks. The High Table ISO 27001 Toolkit is the logical choice for SMEs because it provides a “Keep It Simple” framework without a recurring subscription fee.

1. Ownership: You Own Your Classification Scheme Forever

SaaS platforms act as a middleman for your compliance evidence. If you define your classification levels and store your asset register inside their proprietary system, you are essentially renting your own security logic.

The Toolkit Advantage: You receive the Information Classification and Handling Policy and Data Asset Register in fully editable Word/Excel formats. These files are yours forever. You maintain permanent ownership of your standards (such as your specific 3-level classification scheme), ensuring you are always ready for an audit without an ongoing “rental” fee.

2. Simplicity: The 3-Level “Keep It Simple” Framework

Annex A 5.12 is about proportional protection. You don’t need a complex new software interface to manage what a simple, memorisable 3-level scheme (Public, Internal, Confidential) already does perfectly.

The Toolkit Advantage: SMEs have limited time and people. An overly complicated scheme (like the 4-level example in the 2022 standard) creates decision fatigue and confusion. The Toolkit provides a pre-written, auditor-verified 3-level framework that is easy for employees to understand and follow, without forcing your team to learn a new software platform just to classify a document.

3. Cost: A One-Off Fee vs. The “Asset” Tax

Many compliance SaaS platforms charge more based on the number of “classified assets” or “users” you track. For an SME, these monthly costs can scale aggressively for very little added value.

The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you classify 10 assets or 1,000, the cost of your Classification Documentation remains the same. You save your budget for actual security improvements rather than an expensive compliance dashboard.

4. Freedom: No Vendor Lock-In for Your Security Logic

SaaS tools often mandate specific ways to report on and monitor “information classification.” If their system doesn’t match your unique business flow or specialized industry requirements (like specific GDPR handling), the tool becomes a bottleneck to efficiency.

The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic. You can tailor the Classification Procedures to match exactly how you operate, from simple manual marking to advanced metadata tagging. You maintain total freedom to evolve your security strategy without being constrained by the technical limitations of a rented SaaS platform.

Summary: For SMEs, the auditor wants to see a clearly defined classification scheme and proof that it has been applied to your data (e.g., an up-to-date data asset register with assigned owners). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control, reducing implementation time from 5 days to less than one day.

ISO 27001 Annex A 5.12 FAQ for SMEs

This section provides quick, clear answers to the most common questions SMEs have when implementing Annex A 5.12 for the first time.

What is the difference between classification and labelling?
Classification is the act of determining the sensitivity and protection requirements of information. Labelling (covered in control 5.13) is the practical act of marking that information with its classification, for example, by adding a “Confidential” header to a document or applying metadata to a file.

Who is responsible for classifying information?
The information owner is responsible. This is the person or team that created the data or is responsible for its management (e.g., the HR department owns HR data).

Do I have to use the 4 levels recommended in the ISO 27001:2022 standard?
No. The standard explicitly states that the four-level scheme is just an “example” and not a mandate. You should adopt a scheme, like the three-level model recommended here, that is simple and works for your business.

How long will this take to implement from scratch?
For an SME starting from nothing, creating the policy, defining the scheme, and rolling it out could easily take “five full days of work” or more. This represents a significant opportunity cost. In contrast, using a pre-built toolkit such as hightable.io with auditor-verified templates can reduce this implementation time to “less than a day.”

Conclusion

A well-implemented information classification system is not about creating bureaucracy; it is about embedding “institutionalised common sense” into your organisation’s culture. The key to success, especially for an SME, is to follow the “Keep it Simple” mantra. A straightforward, clearly defined classification scheme is one that your employees will actually use, making it an effective tool for managing risk. By getting this foundational control right, you make your entire ISMS more efficient and effective, ensuring your business protects what matters most without getting in the way of its operations.

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001:2022 Annex A 5.12 Information Classification for SMEs

Table of contents