ISO27001 Annex A 5.12 Classification of Information Beginner’s Guide

ISO27001 Annex A 5.12 Classification Of Information Beginner’s Guide

ISO27002:2022 Clause 5.12 Classification of Information

In this article I lay bare ISO27001:2022 Annex A 5.12 / ISO27002:2022 Clause 5.12 Classification of Information.

A beginners guide, exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO27001 certification. We show you exactly what changed in the ISO27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is ISO27001 Annex A 5.12

What is ISO27001 Annex A 5.12?

ISO27001 Annex A 5.12 Classification of Information is an ISO27002:2022 control that requires that an organisation should classify information based on the needs of the organisation and relevant interest parities.

ISO27001 Annex A 5.12 Definition

The ISO27001 standard defines ISO27001 Annex A 5.12 Classification of Information as:

Information should be classified according to the information security needs of the organisation based on confidentiality, integrity, availability and relevant interested party requirements.

ISO27001 Annex A 5.12

ISO27001 Annex A 5.12 Implementation Guide

You have options when it comes to classifying your information. The preferred option is to keep it as simple as possible. For the majority of people we would recommend a simple, 3 tier approach to information classification. As with all aspects of information security you must take into consideration the needs of your customers. Some customers, such as government departments, may have a classification scheme that they expect you to adopt and implement. If this is the case then follow their lead. For everyone else, keep it simple.

The 3 levels of information classification

The 3 level of information classification are:

Public

What is public information? Public information is information that has little to no value and can be widely shared. It is information that requires the least protection and can be shared with anyone. Examples of public information include sales materials, marketing, website, general announcements.

Internal

What is internal information? Internal information is information that could harm you if it was shared but it would not be the end of the world. Examples of internal information would be your business processes, communications aimed at employees, business updates.

Confidential

What is confidential information? Confidential information is information that could harm you if it was shared. It is information that is protected by laws or regulation. Examples of confidential information are information on personal details of customers and employees, payroll information, bespoke code, intellectual property.

Once you have defined your information classification levels you are going to implement them. To do this you are going to

Have an Information Classification and Handling Policy

Have an Information Classification and Handling Policy that clearly sets out your levels of information classification and exactly what must be done for each level of classification. This information classification policy template is an absolute life saver. Whilst always best practice the requirement for a topic specific policy became explicit in the 2022 update.

Have a classification scheme

The classification scheme has to take into account the confidentiality, integrity and availability requirements.

Base on business need

The needs of the business are paramount and classifications and controls should take into account those needs. Consider the sharing or restricting of information. The availability requirements for information and the protection of information integrity.

When you assess the legal and regulatory requirements and create your legal register you are considering the laws that apply to you that impact information security. Ensuring those legal requirements are considered and baked into your information classification scheme and controls. Legal requirements will always take a priority over your own classification.

Information Owners decide the classification

The owners of the information are responsible for the classification of the information.

Review and update information classification

Information changes over time in context, use, value. The classification of information should be regularly reviewed over time, at least annually and as significant changes occur.

Align to the topic specific policy requirement for access control

The standard explicitly calls out aligning to the topic specific policy requirement for access control. Access control is directly aligned to information classification.

Be consistent across the organisation

Everyone in the organisation should be consistent in following the information classification and applying it. Everyone classifies information in the same way. Everyone has a common understanding of the protection requirements and applies controls and protection in a common way.

Be Consistent between Organisations

As different organisations have different schemes and approaches you will need to put in place a mechanism to ensure consistency of the schemes used. This will be dependant on use and context but the idea is that you have in place an agreement on the interpretation of classification and classification levels.

In addition

  • Put in place an information classification process that describes exactly what you do through the information management lifecycle
  • Keep a data asset register up to date that shows who is allocated what asset and what level of classification the data is – which we covered in ISO27001 Annex A 5.9 Inventory Of Information And Other Associated Assets Beginner’s Guide
  • Follow best practice and your information classification policy for marking data with its classification. This can be visually on the data but also it can be in the meta data. You need to be able to identify the classification level of the information.
  • Put in place controls appropriate to the level of information classification and based on the risk to the business.
  • Communicate your information classification approach to employees. A great way to do this is with this simple one page information classification summary.

ISO27001 Annex A 5.12 Templates

These ISO27001 Templates are designed specifically to save you time and effort. These ISO27001 templates take over 25 years of experience and distill it in a pack of prewritten best practice awesomeness.

ISO27001 Information Classification and Handling Policy-Black
ISO27001 Information Classification Summary-Black
ISO27001 Annex A 5.11 Return of Assets Data Asset Register
ISO27001 Annex A 5.11 Return of Assets ISO27001 Templates Toolkit

How to comply with ISO27001 Annex A 5.12

To comply with ISO27001 Annex A 5.12 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to

  • Decide on your information classification scheme
  • Have a data asset register
  • Assign owners to the data assets
  • Have the data owners decide on the classification level of the information
  • Put in place controls to protect the information that are based on the classification

How to pass an audit of ISO27001 Annex A 5.12

To pass an audit of ISO27001 Annex A 5.12 you are going to make sure that you have followed the steps above in how to comply.

You are going to do that by first conducting an internal audit, following the How to Conduct an ISO27001 Internal Audit Guide.

What will an audit check?

The audit is going to check a number of areas. Lets go through them

#1 That information classification has been defined

The audit will check you have a clearly defined your information classification scheme. It will want to see the levels of classification that you have adopted and what that means. The audit will review the types of information covered by each classification level. It will then check that the controls that are in place to protect information of each level are appropriate to that level. They will check that information is clearly marked with its level of classification.

#2 There is an up to date asset register

The asset register will be checked to see that it meets the requirements of the standard and as a minimum that assets are allocated to owners. They will want to see that the owners have defined the level of classification and the level of classification is documented and communicated.

#3 That data protection has been considered

Irrespective of where you are in the world, data protection laws and regulations will apply to you. To a greater or lesser degree. When defining your information classification levels be sure to include those data protection requirements. The main example of this is the classification of special category data as confidential. Any personal data will be expected to be protected and not be classified as public. Seek specialist help where required.

Top 3 Annex ISO27001 A 5.12 Mistakes People Make

The top 3 Mistakes People Make For ISO27001 Annex A 5.12 are

#1 Your information assets are not marked with classification

You have an information classification scheme but you have not marked up your information assets in a way that clearly and readily indicates its level of classification. If a document is a confidential document, have the word confidential on it. Consider the use of meta data.

#2 Making the classification too complicated

It can be easy to get carried away and think you need many levels of classification. This is rarely the case. Keep it simple. The more simple, the easier to manage. Remember we are using classification to help us allocate our limited to resources to the protection of the things we care most about. Having crazy classification levels such as public, internal public, internal confidential, confidential secret, top secret rarely add any value. The admin to implement is just too much.

#3 Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Why is ISO27001 Annex A 5.12 Important?

ISO27001 Annex A 5.12 Classification of Information is important because we want to protect what is most important to us. We want to put the right levels of controls around our information that do not stop us from doing our work. Putting in place the most sophisticated information security around a public facing marketing document that requires passwords and finger prints and biometrics before a customer can access it makes no sense. Common sense is key. In addition to this we have limited resources in both time and money. Spending those resources wisely to protect the things we hold most dear is sensible. The job of information security is the protection of confidentiality, integrity and availability of data it is not the job to of information security to stop people doing their job or telling them what is important to them. It is helping them protect what they think is important in a way that meets their needs in a pragmatic and thought out way.

ISO27001 sets out 4 levels of classification – so I need all 4 right?

No, you do not. The 4 levels of classification in ISO27001 5.12 are explicitly stated as an example. The word example. And that it ‘can’ be based on the 4 levels. It is not the only way, or the required way, it is the example they give. For full reference the guidance is here:

a) Disclosure causes no harm;

b) Disclosure causes minor reputational damage or minor operational impact;

c) Disclosure has a significant short-term impact on operations or business objectives;

d) Disclosure has a serious impact on long term business objectives or puts the survival of the organisation at risk.

It is not a bad example. It is just another layer of complexity to manage. You then have to say what you mean by words like ‘minor’, ‘short-term’. Do what is right for you but do not over complicate it.

ISO27001 Annex A 5.12 FAQ

What policies do I need for ISO27001 Annex A 5.12 Classification of Information?

For ISO27001 Annex A 5.12 Classification of Information you will need the ISO27001 Information Classification and Handling Policy: https://hightable.io/product/information-classification-and-handling-policy-template/

How decides the classification level of information?

The data asset owner / information owner is responsible for defining the classification level of the information.

Do I need to mark up information with its level of classification?

Yes, information should clearly display its level of classification. You can also consider the use of meta data and meta data tags.

Are there free templates for ISO27001 Annex A 5.12?

There are templates for ISO27001 Annex A 5.12 located here: https://hightable.io/iso-27001-toolkit/

ISO27001 Annex A 5.12 sample PDF?

ISO27001 Annex A 5.12 Sample PDF: https://hightable.io/iso-27001-toolkit/

Do I have to satisfy ISO27001 Annex A 5.12 for ISO27001 Certification?

Yes. Whilst the ISO27001 Annex A clauses are for consideration to be included in your Statement of Applicability there is no reason we can think of that would allow you to exclude ISO27001 Annex A 5.12 Classification of Information. Classifying data and information are a fundamental part of any information security defence and control. They are a fundamental part of any information security management system. They are explicitly required for ISO27001.

Can I write polices for ISO27001 Annex A 5.12 myself?

Yes. You can write the policies for ISO27001 Annex A 5.12 yourself. You will need a copy of the standard and approximately 3 days of time to do it. It would be advantageous to have a background in information security management systems. There are a number of documents you will require as well as the policy for role based access control. Alternatively you can download them here: https://hightable.io/iso-27001-toolkit/

Where can I get templates for ISO27001 Annex A 5.12?

ISO27001 templates for ISO27001 Annex A 5.12 are located here: https://hightable.io/iso-27001-toolkit/

How hard is ISO27001 Annex A 5.12?

ISO27001 Annex A 5.12 is one of the harder aspects of information security to get right. It can take a lot of time if you are doing it yourself as there is a lot to consider. We recommend templates to fast track your implementation.

How long will ISO27001 Annex A 5.12 take me?

ISO27001 Annex A 5.12 will take approximately 5 days to complete if you are starting from nothing and doing it yourself. With an ISO27001 Template Toolkit it should take you less than 1 day.

How much will ISO27001 Annex A 5.12 cost me?

The cost of ISO27001 Annex A 5.12 will depend how you go about it. If you do it yourself it will be free but will take you about 5 days so the cost is lost opportunity cost as you tie up resource doing something that can easily be downloaded. If you download an ISO27001 Policy Template toolkit then you are looking at a couple of hundred pounds / dollars.

What are the 3 levels of information classification?

The most common levels of information classification are public, internal and confidential

What are the 4 levels of information classification recommended by ISO27001 5.12?
To spice things up the 2022 update added in another recommended level of classification by way of guidance. It is guidance only and the 4 levels of ISO27001 5.12 are

a) Disclosure causes no harm;
b) Disclosure causes minor reputational damage or minor operational impact;
c) Disclosure has a significant short-term impact on operations or business objectives;
d) Disclosure has a serious impact on long term business objectives or puts the survival of the organisation at risk.

Matrix of controls and attribute values

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
#Preventive
#Confidentiality
#Integrity
#Availability
#Identify#Information_Protection#Protection
#Defence

See Also

Reference

ISO/IEC 27001 Information Security Management

ISO 27001 Templates Toolkit Business Edition Black
ISO27001 Policy Templates Pack Green

FREE 30 minute ISO27001 strategy session.

Claim your 100% FREE no-obligation 30 minute strategy session call (£1000 value). This is strictly for small businesses who are hungry to get ISO27001 certified up to 10x faster and 30x cheaper.

ISO27001 Certification Stragey Call
Shopping Cart