In the beginner’s guide to ISO 27001 Classification of Information you will learn
- what Classification of Information is
- how to Classify Information
- example Classification schemes you can use straightaway
I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.
Table of contents
What is Classification of Information?
Information classification is a way to categories different types of information in your organisation and apply the level of information security required based on the risk.
With limited resources it doesn’t make sense to apply the highest level of security to all data so we apply it proportionately based on risk and business need.
Key Points
- You need to understand the information and data that you have and then decide the protection to put in place proportionate and appropriate to that the value of the data.
- The approach has to be consistent across the organisation and remove personal judgment.
- The protections are to maintain information security being the confidentiality, integrity and availability of data.
- It does form one of the foundation blocks of building your information security management system, so take time getting this right and making it appropriate to you.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
Why is it important?
The reason is you have limited resources.
You can’t protect everything.
If you have a marketing presentation that requires biometric data, fingerprint and iris scan for somebody just to read some marketing information, that doesn’t make sense.
You’re not going to apply that level of control to marketing materials.
If we don’t classify our information we’re not giving anybody any rules or guidance on what it is that we expect them to do and if we classify everything at the same level with the limited resources that we’ve got in terms of time and money and people we’re setting a very high bar for ourselves potentially in terms of how we protect everything.
So let’s think about some basic pieces of information here.
You’re going to have marketing information. Does marketing information need the same level of protection as HR data? Payroll data? Employee benefits data?
I’m hopeful that the answer to you is no.
They are clearly two separate levels, two classifications of data.
We don’t really care who accesses our marketing information but we care a lot about who accesses our payroll information.
Information Classification Scheme
You must decide on the information classification scheme that you will adopt.
The information classification scheme is the definition of the information classification levels and the rules that apply to those various levels.
It is used to guide your employees and people that work with you and explain to them is expected for handling and managing data.
Classification schemes can be as complicated or as simple as you want to make them. My advice would be to keep it simple.
Your starting point for deciding what classification scheme to adopt is to review the laws and regulations that relate to you and customer requirements that may contractually oblige you to have a certain scheme in place.
Example Classification Levels
The levels of classification are in the classification scheme.
If you have the benefit of defining your own classification scheme then three levels of information classification for smaller organisation I have found works well.
- Public Classification: This is for documentation that poses little to no risk to you and that you don’t really need to protect. Examples include: marketing, website, promotional materials.
- Internal Classification: This is for documentation that’s specific to the organisation. If it became public it could cause some minor embarrassment and poses a medium risk to you. Examples include: Your process documentation, certain management reports, broad based internal communications.
- Confidential Classification: This is the highest level of classification. It it because public it could cause major embarrassment, cost you money, put your operations at risk, expose your intellectual property, violate laws and regulations. Examples include: HR data relating to individuals, payroll data, health data, intellectual property, bespoke and proprietary technical and systems information such as code, schematics and information security protections.
Key Principles
- Write an information and classification handling policy: You need to write an information and classification handling policy. The policy should set out what your levels of classification are. It should address how you approach data protection in terms of the classification of data covered by data protection laws. The policy should lay out all of the expected controls per classification. The scope of the policy will cover the entire information life cycle.
- Define the classification scheme: You’re working with the business to understand the needs of the business, operationalise the business and help the business move forward. Whether you choose a predefined classification scheme, have one imposed on you or write your own, you need to define your classification scheme. Examples are provided above and in the policy template.
- Meet Legal and Regulatory Requirements: Working with your legal team and referencing back to the work done on the legal register you are going to ensure that your classification scheme fully meets the requirements of the law and relevant regulators.
- Assign Information Owners: Information owners play a key role in information security and if you haven’t already assigned them then you should assign them now.
- Review and Update Classification: ISO 27001 is a standard based on continual improvement and as such the classification of data and the actual classification scheme should be reviewed and updated on a periodic basis.
- Write Topic Specific Policies: You are going to align topic specific policies that you have, other policies and other controls with your information classification.
- Adapt as you grow: One of the challenges you will face is that the bigger you get, the more complex you get, it becomes more difficult to ensure consistency across the organisation about how you apply information classification. You must make sure everyone has a common understanding of what the protection requirements are.
- Be Consistent Across Organisations: Make sure that your classification scheme maps to that of third parties and customers. Your ability to map where relevant and applicable, to map your information classification scheme to that of other organisations.
ISO 27001 requirement for Classification of Information
The ISO 27001 standard specifically addresses Classification of Information in ISO 27001 Annex A 5.12 Classification Of Information
How to implement Classification of Information
For a detailed guide on how to implement Classification of Information, read the implementation guide ISO 27001 Annex A 5.3 Segregation of Duties