ISO 27001 Classification Of Information | Beginner’s Guide

Home / ISO 27001 Tutorials / ISO 27001 Classification Of Information | Beginner’s Guide

In the beginner’s guide to ISO 27001 Classification of Information you will learn

  • what Classification of Information is
  • how to Classify Information
  • example Classification schemes you can use straightaway

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

What is Classification of Information?

Information classification is a way to categories different types of information in your organisation and apply the level of information security required based on the risk.

With limited resources it doesn’t make sense to apply the highest level of security to all data so we apply it proportionately based on risk and business need.

Key Points

  • You need to understand the information and data that you have and then decide the protection to put in place proportionate and appropriate to that the value of the data.
  • The approach has to be consistent across the organisation and remove personal judgment.
  • The protections are to maintain information security being the confidentiality, integrity and availability of data.
  • It does form one of the foundation blocks of building your information security management system, so take time getting this right and making it appropriate to you.

DO IT YOURSELF ISO 27001

All the templates, tools, support and knowledge you need to do it yourself.

ISO 27001 Toolkit Business Edition

Why is it important?

The reason is you have limited resources.

You can’t protect everything.

If you have a marketing presentation that requires biometric data, fingerprint and iris scan for somebody just to read some marketing information, that doesn’t make sense.

You’re not going to apply that level of control to marketing materials.

If we don’t classify our information we’re not giving anybody any rules or guidance on what it is that we expect them to do and if we classify everything at the same level with the limited resources that we’ve got in terms of time and money and people we’re setting a very high bar for ourselves potentially in terms of how we protect everything.

So let’s think about some basic pieces of information here.

You’re going to have marketing information. Does marketing information need the same level of protection as HR data? Payroll data? Employee benefits data?

I’m hopeful that the answer to you is no.

They are clearly two separate levels, two classifications of data.

We don’t really care who accesses our marketing information but we care a lot about who accesses our payroll information.

Information Classification Scheme

You must decide on the information classification scheme that you will adopt.

The information classification scheme is the definition of the information classification levels and the rules that apply to those various levels.

It is used to guide your employees and people that work with you and explain to them is expected for handling and managing data.

Classification schemes can be as complicated or as simple as you want to make them. My advice would be to keep it simple.

Your starting point for deciding what classification scheme to adopt is to review the laws and regulations that relate to you and customer requirements that may contractually oblige you to have a certain scheme in place.

Example Classification Levels

The levels of classification are in the classification scheme.

If you have the benefit of defining your own classification scheme then three levels of information classification for smaller organisation I have found works well.

  • Public Classification: This is for documentation that poses little to no risk to you and that you don’t really need to protect. Examples include: marketing, website, promotional materials.
  • Internal Classification: This is for documentation that’s specific to the organisation. If it became public it could cause some minor embarrassment and poses a medium risk to you. Examples include: Your process documentation, certain management reports, broad based internal communications.
  • Confidential Classification: This is the highest level of classification. It it because public it could cause major embarrassment, cost you money, put your operations at risk, expose your intellectual property, violate laws and regulations. Examples include: HR data relating to individuals, payroll data, health data, intellectual property, bespoke and proprietary technical and systems information such as code, schematics and information security protections.

Key Principles

  • Write an information and classification handling policy: You need to write an information and classification handling policy. The policy should set out what your levels of classification are. It should address how you approach data protection in terms of the classification of data covered by data protection laws. The policy should lay out all of the expected controls per classification. The scope of the policy will cover the entire information life cycle.
  • Define the classification scheme: You’re working with the business to understand the needs of the business, operationalise the business and help the business move forward. Whether you choose a predefined classification scheme, have one imposed on you or write your own, you need to define your classification scheme. Examples are provided above and in the policy template.
  • Meet Legal and Regulatory Requirements: Working with your legal team and referencing back to the work done on the legal register you are going to ensure that your classification scheme fully meets the requirements of the law and relevant regulators.
  • Assign Information Owners: Information owners play a key role in information security and if you haven’t already assigned them then you should assign them now.
  • Review and Update Classification: ISO 27001 is a standard based on continual improvement and as such the classification of data and the actual classification scheme should be reviewed and updated on a periodic basis.
  • Write Topic Specific Policies: You are going to align topic specific policies that you have, other policies and other controls with your information classification.
  • Adapt as you grow: One of the challenges you will face is that the bigger you get, the more complex you get, it becomes more difficult to ensure consistency across the organisation about how you apply information classification. You must make sure everyone has a common understanding of what the protection requirements are.
  • Be Consistent Across Organisations: Make sure that your classification scheme maps to that of third parties and customers. Your ability to map where relevant and applicable, to map your information classification scheme to that of other organisations.

ISO 27001 requirement for Classification of Information

The ISO 27001 standard specifically addresses Classification of Information in ISO 27001 Annex A 5.12 Classification Of Information

How to implement Classification of Information

For a detailed guide on how to implement Classification of Information, read the implementation guide ISO 27001 Annex A 5.3 Segregation of Duties

ISO 27001 Toolkit Business Edition

ISO 27001 Toolkit | Beginner Friendly | Free Support | 5 Day Build

ISO 27001:2022 requirements

ISO 27001:2022 Annex A 5 - Organisational Controls

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

ISO 27001:2022 Annex A 8 - Technology Controls

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing