The process of putting information into groups based on how sensitive it is. This helps an organisation know how much protection to give each piece of data. It ensures that valuable or private information is kept safe, while public information is easy to share.
Examples
- Public: A company’s website or a press release. This information is meant for everyone to see.
- Internal: Employee handbooks or meeting notes. This information is for staff only and shouldn’t be shared outside the company.
- Confidential: Customer records or financial reports. This is very private data that, if lost, could cause great harm to the company or its clients.
Context
Classifying information is a key step in keeping it secure. It’s like putting different valuables into different kinds of safes. You wouldn’t put a common coin in a high-tech bank vault, just as you wouldn’t leave a precious gem in an open box. This practice helps a business use its security resources wisely. It also makes sure that everyone knows how to handle different types of data correctly.
Relevant ISO 27001 Controls
The following controls from the ISO/IEC 27001:2022 standard are related to classification of information:
- ISO 27001:2022 Annex A 5.12 Classification Of InformationThis main control requires an organisation to classify its information based on its security needs. This includes thinking about its confidentiality, integrity, and availability.
- ISO 27001:2022 Annex A 5.13 Labelling Of Information: This control is about applying labels to the information after it’s been classified. The labels make it easy for people to know the level of security required for that data.
- ISO 27001:2022 Annex A 5.14 Information Transfer: This control ensures that information is protected when it is sent or received. The level of protection should match the information’s classification.
