ISO 27001 Classification Of Information – Training Video

Home / ISO 27001 Tutorials / ISO 27001 Classification Of Information – Training Video

ISO 27001 Annex A 5.12 Classification Of Information – Training Video

In this free ISO 27001 training video we look specifically at ISO 27001 Annex A 5.12 Classification Of Information.

Watch the free ISO 27001 training video:

ISO 27001 Classification Of Information – Training Video Transcript

How to implement ISO 27001 Annex A 5.12 classification of information.

Okay,I’m going to talk you through this one.

There’s quite a lot to go at here but we’re going to start off simple and then we’ll do a bit of a a bit of a deeper dive and a bit of a dig into it.

In basic terms what we’re looking at here is we’re looking at classifying our information within our organisation and we’re classifying it for information security purposes.

So, what do I mean by that? What I mean by that is information within our organisation has a value to us and the value that it has has an associated level of protection that we want to put against it.

If we don’t classify our information we’re not giving anybody any rules or guidance on what it is that we expect them to do and if we classify everything at the same level with the limited resources that we’ve got in terms of time and money and people we’re setting a very high bar for ourselves potentially in terms of how we protect everything.


ISO 27001

ISO 27001 Toolkit Business Edition

So let’s think about some basic pieces of information here.

You’re going to have marketing information. Does marketing information need the same level of protection as HR data? Payroll data? Employee benefits data?

I’m hopeful that the answer to you is no.

They are clearly two separate levels, two classifications of data.

We don’t really care who accesses our marketing information but we care a lot about who accesses our payroll information.

Information Classification Scheme

So what we’re going to do is we’re going to put in an an information classification scheme and as part of that classification we’re going to provide guidance and rules about what it is that we expect to happen when it comes to each of those levels of classification.

By doing that we can guide our employees and people that work with us and explain to them what it is that we expect them to do with the data that they are being given custody of, whether that’s to process their day-to-day operations or whether it’s for them to manage or whatever that that may be.

Now for me I have always worked on a very simple classification scheme, classification schemes can be as complicated as you want to make them.

Your starting point is going to be looking at laws and regulations that relate to you.

Looking at customers that relate to you that may dictate to you the classification scheme that you’re going to implement, right.

Things like the government have their own classification scheme.

It’s quite quite detailed it has five levels within it you know and it’s quite complicated in what it wants to do.

If you have the benefit of defining your own classification scheme then three levels of information classification for smaller organisation I have found works very very well.

Those three levels of classification are

  • public,
  • internal
  • and confidential

So, what we’re saying here is – yes we have documentation that we don’t really need to protect and we classify that as public.

So things like our marketing, our website, things that are external that we’re not overly concerned about people gaining access to and in fact in most cases we want them to gain access to it.

Then we have documentation that’s specific to the organisation.

It could cause some minor embarrassment.

It could cause us some minor problems but it’s internal.

We classify it as Internal Documentation.

These are going to be things like our processes, how we go about operating things, they could be things like a certain level of management reports that are in place.

The third level of classification that I like to go with is confidential.

Now this is the highest level of classification.

A confidential classification is things that would be allocated to things like, yes payroll, yes employee benefits, yes information about individuals.

Here we’re taking a crossover with the GDPR.

I would classify the majority of um of data subject access sorry data data information as being confidential.

Anything that relates to an individual I would classify as confidential.

Anything that could identify an individual, special category information, I would classify as confidential.

l think of it this way – this is something that could either break the law if it was disclosed publicly without any control around it or it could come it could cause you significant embarrassment or financial loss, reputation loss.

It could hurt you.

So, confidential information is the highest level of classification that I would Implement in an organisation that is the level of classification that you are going to throw the majority of your resources at.

This is the one where you’re going to be putting in place all of those technical controls all those process controls restricting access to it making sure that it has the highest level of availability and all the good stuff that goes along with that.

So that has worked well for me for many many years.

When it comes to the end of the standard itself the standard comes with its own guidance and examples on what it thinks information classification should be right.

So, ISO 27001 sets out four levels of classification.

Do you need all four? Not necessarily.

I’m very happy with the 3.

My audits that I’ve had for clients are happy with the 3 but I’m giving you the knowledge and giving you the information.

So, they are provided as an example.

Note the word here – example.

They’re not saying as a checklist that you must implement them.

They’re just trying to give you, as I am, some guidance on how you can classify information but what they have here is

1. disclosure causes no harm

2. disclosure causes minor reputational damage or minor operational impact

3. disclosure has a significant short-term impact on operations or business objectives

4. disclosure has a serious impact on long-term business objectives or puts the survival of the organisation at risk.

Okay, sensible right?

I mean I’ve got no particular issue with them. It’s not a bad example.

It does give an extra level of complexity and then you’re going to start to have to answer the question by what do you mean by short term? what do you mean by minor? what do you mean by major? what do you mean by long-term?

So you start to add in a little bit of additional complexity but between either the basic one that I have, so public internal confidential, or all the four levels that the standard gives you, you understand the principle that you have to apply the classification of information into your organisation.

Stuart - High Table - ISO27001 Ninja - 3

Implementation Guide

So your starting point is document what your classification levels are, agree with the business what those examples are, let’s get those down and let’s get those signed off.

So what are the things that we’re going to do when we’re implementing this?

What is my advice to you from an implementation point of view?

You’re going to have an information and classification handling policy.

Clearly, I have an information classification and handling policy template that you can download that’s fully populated or you can look at the video about how you create it and you can create one yourself but you want that policy.

ISO 27001 Information Classification and Handling Policy Template

So, that policy is an absolute Lifesaver when it comes to this particular Clause. It sets out what your levels of classification are.

It sets out all of the considerations around data protection and how that fits in with your classification.

It lays out and sets out all of the expected controls that you have and it’s probably going to well it is going to cover the information life cycle as well.

So what you do at various elements within that life cycle.

So you’re going to have your policy you’re going to have your classification scheme.

We’ve touched on that and we’ve we’ve gone through that we’re going to base it on business need.

So the needs of the business are paramount, as an information security professional it is not your job to introduce a 20 layer information classification that even NASA would wince at.

You know this isn’t an academic exercise.

You’re working with the business to understand the needs of the business, operationalise the business and help the business move forward.

So, whatever level you go with, whether you go with my three whether you go with the example four whether you take an industry classification standard that’s provided by the government you need to base it on the needs of the business as your foundation.

Then what you’re going to do is you’re going to consider the legal requirements.

Are there any legal requirements on you that could influence your classification.

So we’re going to be looking at our legal register, our information security legal register, our legal and regulatory requirements register.

ISO 27001 Legal and Contractual Requirements Register Template

We’re going to be looking at as part of that legal and regulatory requirements register our customer requirements are there any specific customer requirements that we’ve got when it comes to classification.

So all of those are going to feed into that scheme.

When it comes to, when it comes to writing and developing in that at the end of the day information owners, when it comes to the application of classification, information owners decide the classification of their information.

Now the information security manager can help them and can guide them and clearly there are some significant pointers, I mean certain data of certain types just is what it is but we’re working on the principle that information owners decide the classification.

They own it.

They are the they’re the owners owners, they’re the custodians of it.

What we’re going to do is we’re going to review and update information classification over time, so, we’re going to look at this at least annually or as a basis of significant change and we’re going to make sure that our classification is still working for us.

If we are applying the highest level of classification to data that doesn’t need it and it’s consuming resources and cost and time and money in people then we can reassess that.

If the classification scheme that we’ve got is too simple or too complex again we can assess that.

We’re remembering here that ISO 27001 is a standard based on continual improvement.

You don’t have necessarily have to get it right day one but as long as you are continually improving then you are going to be absolutely golden.

What you’re going to do is you’re going to align topic specific policies that you have, other policies, other controls – with your information classification.

So here we’re looking at things like access control, all those technical controls that we have, again, are going to be based on the level of classification that you’ve got so understand that this has a wider impact and it has a KnockOn impact when you go through your implementation and you’re going to have to tie that in and make sure all the other areas are aligned to and are following it so as a result of that you’re going to be consistent across the organisation.

One of the challenges the bigger you get the more complex you get is consistency across the organisation about how you apply information classification so just be wary of that, everyone has a common understanding of what the protection requirements are, everyone should have an understanding of what the classification scheme is, it should be communicated on a reasonably regular basis, it should be form part of your training and you’re onboarding people.

Understand that what we also have to do and what the standard brought in in 2022 is consistency across organisations so our ability to map where relevant and applicable, to map our information classification scheme to that of other organisations.

Now that could be the information classification scheme of our suppliers we want to make sure that our suppliers are aligned with us.

So we may have to do a mapping between our classification and what our suppliers have.

Equally our customers our customers are going to have their own information classification and their requirements around that and their understanding of what what the words mean to them and what they’re expecting the controls to be based on those words may not be aligned with what it is that you’re doing so you are going to have some work to do about making sure that you have aligned your classification scheme with other entities.

To get consistency again about how you aremanaging and protecting the information that you have.

What other things that can we do here, well we could put in place an information classification process that describes exactly what you do through the information security management life cycle.

You can keep a data or asset register up to date that shows who is allocated what assets and what level of classification of data there there is.

You can follow best practice and your information classification policy for marking data with its classification so this can be visually, you know put in classification within the document or you might want to start looking at things like metadata, although when we get to that particular, control that’s one that I advise most of my clients to out scope.

You’re going to put in place controls appropriate to the level of the information classification and based on the risk of the business so this isn’t a standalone document.

As we’ve referenced it does inform other things and you’re going to communicate your information classification approach to your employees.

You know having an information classification summary document again a template that I provide is a great way of doing that, it’s just a crib sheet, it’s a go-to sheet, where you can see you know what are examples of information that fit within each classification, what are the examples of controls, how do I destroy that data in in general terms, just distilling down that information classification and handling policy into a one page or in a sheet that that people can use as a go-to.

ISO27001 Information Classification Summary Example

It comes as no surprise as I keep saying it I have a number of templates.

I’ve got an information classification and handling policy, information classification summary, data asset register, all other templates in the ISO 27001 templates that you need.

I’ll not go through it they’re on the Hightable ISO 27001 Template Store.

Please go and have a look at those.

So what’s an auditor going to check?

When the auditor comes to check you what is it that they’re going to be looking for?

They looking for information classification and has it been defined, is it documented, has it been implemented,  has it been approved, has it been signed off, is there physical evidence of information classification.

They’re going to be looking at a data asset register, they want to see a data asset register and they want to see how that data is classified within that data asset


They are going to check that, again, it’s about documentation and they’re going to be looking to make sure that you’ve considered data protection is data protection if gdpr is applicable to you or similar regulation and laws has it been considered and is it referenced within your information classification.

So there’s a lot that they’re going to go at there um all around documentary evidence, all around making sure that you’ve implemented it and that you have that in place.

When it comes to common mistakes that people make – what are the common mistakes that people make?

Information assets are not marked with classification, this is an easy one, you’ve seen all the documents that I create that have classification on them and it’s a label and you can see it and it’s a visual representation of what the classification is.

Many people create documents, PowerPoint documents, pdf documents, are the worst offenders for this and they just don’t put classification on it they just don’t mark it up with classification.

So, whatever the document is that you’re creating that forms part of your management system or an auditor is going to look at, make sure it has classification on it in line with your policy.

The second mistake that we see is making classification too complicated.

The more complicated, the harder to manage, the more resources it’s going to require the less likely it is people are going to follow it.

So, just pay heed and attention to that.

Don’t over complicate this but do it appropriate to your business need and your legal and regulatory needs.

So, why is it important?

The reasons being we stated at the beginning is you have limited resources.

You can’t protect everything.

If you have a marketing presentation that requires biometric data, fingerprint, Iris scan for somebody just to read some marketing information it doesn’t make sense.

You’re not going to apply that level of control to that.

So, we need to understand the documentation we’ve got.

The protections that are required for it and then be proportionate and appropriate to that but we also need to remove from that personal judgment.

We want to get consistency across our organisation.

We want to make sure that we’re doing it in the right way and that we’re maintaining information security – confidentiality, integrity and availability of data.

So, it’s a very important one to have.

It does form one of the foundation blocks of what it is that you’re going to do when you build build your information security management system.

So, please do spend a little bit of time getting this right and making it appropriate to you.

So that was ISO 27001 annex a 5.12 information classification.

ISO 27001 Toolkit Business Edition

Do It Yourself ISO 27001