ISO 27001 Annex A 5.12 Classification Of Information

ISO 27001 Classification Of Information

In this ultimate guide to ISO 27001 Annex A 5.12 Classification Of Information you will learn

• What is ISO 27001 Annex A 5.12
• How to implement ISO 27001 Annex A 5.12

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

What is ISO 27001 Annex A 5.12 Classification Of Information?

ISO 27001 Annex A 5.12 Classification of Information is an ISO 27001 control that requires that an organisation should classify information based on the needs of the organisation and relevant interest parities.

ISO 27001 Annex A 5.12 Purpose

The purpose of ISO 27001 Annex A 5.12 is to ensure the identification and understanding of the protection needs of information in accordance with its importance to the organisation.

ISO 27001 Annex A 5.12 Definition

The ISO 27001 standard defines ISO 27001 Annex A 5.12 as:

Information should be classified according to the information security needs of the organisation based on confidentiality, integrity, availability and relevant interested party requirements.

ISO 27001:2022 Annex A 5.12 Classification of Information

ISO 27001 Annex A 5.12 Implementation Guide

You have options when it comes to classifying your information. The preferred option is to keep it as simple as possible. For the majority of people we would recommend a simple, 3 tier approach to information classification. As with all aspects of information security you must take into consideration the needs of your customers. Some customers, such as government departments, may have a classification scheme that they expect you to adopt and implement. If this is the case then follow their lead. For everyone else, keep it simple.

The 3 levels of information classification

The 3 level of information classification are:

Public

What is public information? Public information is information that has little to no value and can be widely shared. It is information that requires the least protection and can be shared with anyone. Examples of public information include sales materials, marketing, website, general announcements.

Internal

What is internal information? Internal information is information that could harm you if it was shared but it would not be the end of the world. Examples of internal information would be your business processes, communications aimed at employees, business updates.

Confidential

What is confidential information? Confidential information is information that could harm you if it was shared. It is information that is protected by laws or regulation. Examples of confidential information are information on personal details of customers and employees, payroll information, bespoke code, intellectual property.

Once you have defined your information classification levels you are going to implement them. To do this you are going to

Have an Information Classification and Handling Policy

Have an Information Classification and Handling Policy that clearly sets out your levels of information classification and exactly what must be done for each level of classification. This information classification policy template is an absolute life saver. Whilst always best practice the requirement for a topic specific policy became explicit in the 2022 update.

Have a classification scheme

The classification scheme has to take into account the confidentiality, integrity and availability requirements.

Base on business need

The needs of the business are paramount and classifications and controls should take into account those needs. Consider the sharing or restricting of information. The availability requirements for information and the protection of information integrity.

Consider legal requirements

When you assess the legal and regulatory requirements and create your legal register you are considering the laws that apply to you that impact information security. Ensuring those legal requirements are considered and baked into your information classification scheme and controls. Legal requirements will always take a priority over your own classification.

Information Owners decide the classification

The owners of the information are responsible for the classification of the information.

Review and update information classification

Information changes over time in context, use, value. The classification of information should be regularly reviewed over time, at least annually and as significant changes occur.

Align to the topic specific policy requirement for access control

The standard explicitly calls out aligning to the topic specific policy requirement for access control. Access control is directly aligned to information classification.

Be consistent across the organisation

Everyone in the organisation should be consistent in following the information classification and applying it. Everyone classifies information in the same way. Everyone has a common understanding of the protection requirements and applies controls and protection in a common way.

Be Consistent between Organisations

As different organisations have different schemes and approaches you will need to put in place a mechanism to ensure consistency of the schemes used. This will be dependant on use and context but the idea is that you have in place an agreement on the interpretation of classification and classification levels.

In addition

• Put in place an information classification process that describes exactly what you do through the information management lifecycle
• Keep a data asset register up to date that shows who is allocated what asset and what level of classification the data is – which we covered in ISO 27001 Annex A 5.9 Inventory Of Information And Other Associated Assets Beginner’s Guide
• Follow best practice and your information classification policy for marking data with its classification. This can be visually on the data but also it can be in the meta data. You need to be able to identify the classification level of the information.
• Put in place controls appropriate to the level of information classification and based on the risk to the business.
• Communicate your information classification approach to employees. A great way to do this is with this simple one page information classification summary.

ISO 27001 Classification of Information Templates

These ISO 27001 Templates are designed specifically to save you time and effort. These ISO 27001 templates take over 25 years of experience and distill it in a pack of prewritten best practice awesomeness.

How to comply with ISO 27001 Annex A 5.12

To comply with ISO 27001 Annex A 5.12 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to

• Decide on your information classification scheme
• Have a data asset register
• Assign owners to the data assets
• Have the data owners decide on the classification level of the information
• Put in place controls to protect the information that are based on the classification

How to pass an audit of ISO 27001 Annex A 5.12

To pass an audit of ISO 27001 Annex A 5.12 you are going to make sure that you have followed the steps above in how to comply.

You are going to do that by first conducting an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.

What will an audit check?

The audit is going to check a number of areas. Lets go through them

1. That information classification has been defined

The audit will check you have a clearly defined your information classification scheme. It will want to see the levels of classification that you have adopted and what that means. The audit will review the types of information covered by each classification level. It will then check that the controls that are in place to protect information of each level are appropriate to that level. They will check that information is clearly marked with its level of classification.

2. There is an up to date asset register

The asset register will be checked to see that it meets the requirements of the standard and as a minimum that assets are allocated to owners. They will want to see that the owners have defined the level of classification and the level of classification is documented and communicated.

3. That data protection has been considered

Irrespective of where you are in the world, data protection laws and regulations will apply to you. To a greater or lesser degree. When defining your information classification levels be sure to include those data protection requirements. The main example of this is the classification of special category data as confidential. Any personal data will be expected to be protected and not be classified as public. Seek specialist help where required.

Top 3 Mistakes People Make for ISO 27001 Classification of Information

The top 3 Mistakes People Make For ISO 27001 Annex A 5.12 are

1. Your information assets are not marked with classification

You have an information classification scheme but you have not marked up your information assets in a way that clearly and readily indicates its level of classification. If a document is a confidential document, have the word confidential on it. Consider the use of meta data.

2. Making the classification too complicated

It can be easy to get carried away and think you need many levels of classification. This is rarely the case. Keep it simple. The more simple, the easier to manage. Remember we are using classification to help us allocate our limited to resources to the protection of the things we care most about. Having crazy classification levels such as public, internal public, internal confidential, confidential secret, top secret rarely add any value. The admin to implement is just too much.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Why is ISO 27001 Classification of Information Important?

ISO 27001 Annex A 5.12 Classification of Information is important because we want to protect what is most important to us. We want to put the right levels of controls around our information that do not stop us from doing our work. Putting in place the most sophisticated information security around a public facing marketing document that requires passwords and finger prints and biometrics before a customer can access it makes no sense. Common sense is key. In addition to this we have limited resources in both time and money. Spending those resources wisely to protect the things we hold most dear is sensible. The job of information security is the protection of confidentiality, integrity and availability of data it is not the job to of information security to stop people doing their job or telling them what is important to them. It is helping them protect what they think is important in a way that meets their needs in a pragmatic and thought out way.

ISO 27001 sets out 4 levels of classification – so I need all 4 right?

No, you do not. The 4 levels of classification in ISO 27001 annex a 5.12 are explicitly stated as an example. The word example. And that it ‘can’ be based on the 4 levels. It is not the only way, or the required way, it is the example they give. For full reference the guidance is here:

a) Disclosure causes no harm;

b) Disclosure causes minor reputational damage or minor operational impact;

c) Disclosure has a significant short-term impact on operations or business objectives;

d) Disclosure has a serious impact on long term business objectives or puts the survival of the organisation at risk.

It is not a bad example. It is just another layer of complexity to manage. You then have to say what you mean by words like ‘minor’, ‘short-term’. Do what is right for you but do not over complicate it.

ISO 27001 Annex A 5.12 Classification of Information FAQ

ISO 27001 controls and attribute values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Confidentiality	Identify	Information Protection	Protection
	Integrity			Defence
	Availability