top of page

ISO27001:2022 - A5.12 Classification of information

Gary Hibberd

Updated: Aug 2, 2024



We said previously that you can’t protect what you don’t understand, and in part it is also true that you can’t protect everything! So how do you know what is important? And if everything is important, then how do you know what to protect first?!

 

This is why ISO27001 requires you to apply a classification scheme to information based on a very common Information Security concept; Confidentiality, Integrity and Availability.


 

What does the standard require?


The standard states that “Information shall be classified according to the information security needs of the organisation based on confidentiality, integrity, availability and relevant interested party requirements..” (A5.12 Classification of information)

 

Why is this required?


Not all data is the same, and therefore will be treated differently.  For example, HR data, which might be considered sensitive because you are processing payroll, proof of ID (like passports), and sickness and health information. Therefore HR data should be managed more carefully than perhaps your marketing materials, which would contain relatively generic information that can be shared with the public..

 

Without classifying information, you are forced to apply the same level of security and control for everything. This will be problematic and ultimately will lead to failure of your security programme. To put it simply, you’ll either have to set a high degree of control over everything, which could stifle your business. Or set a low bar, and run the risk of a data breach. Either way, your programme will fail your ISO27001 audit.

 

What the auditor is looking for


Although it isn’t stated in the control, the auditor will be looking for some form of documented classification scheme. This scheme will set different levels of security for information based upon your needs, but aligned to confidentiality, integrity and availability.  You should give the different levels of information classifications a name that makes sense to you and your business. But in our experience the following simple classification scheme works exceptionally well.

 

·        Highly confidential

·        Confidential

·        Internal Protected

·        Public

 

For each of the above you can provide examples of the kinds of information that would fall into each category. You would then describe how that data would be protected in that classification.  For example you might say that information that falls into the category of ‘Highly Confidential’, needs to be encrypted, and cannot be shared externally without board level agreement. You would then provide some examples of what would be classified as highly confidential (.e.g Personal data, company sales reports, IP schematics etc).

 

To get to this level of understanding you should consider the criticality of the information based around Confidentiality, Integrity and Availability.  For example;

 

Confidentiality

How important is it to protect the information from unauthorised access?


Integrity

How important is it to protect from unauthorised modification, alteration or interception?


Availability

How important is it to have this information available? And how difficult would it be to replicate it?

 

Grade each one ‘High, Medium, Low’, then see which scores ‘high’ across the board. Once you have this understanding you can decide what classification to apply to it.

 

A simple way to present this is to create a simple spreadsheet with the above classifications and scoring, and outline;

 

  • How information will be handled electronically

  • How information will be destroyed or disposed of

  • Examples of data in this category

 

If you can tie this into your ‘Records of Processing Activities’ (RoPA) which we discussed when you were putting your Asset Register together (A5.9 - Inventory of Information and Other Associated Assets), then this will help enormously.  It shows that you are embedding the classification into your business. Of course it’s important to note that the RoPA is more focused on personal data, so don’t neglect company information too, but being able to reference your RoPA is a great indicator to the auditor that you’re taking appropriate steps to categorise (or classify) information.


 

ISO 27001 Q & A


How many levels should we have in the Classification?


There’s no pre-defined rule of this, but we always suggest that you keep it simple.  You can use the scheme outlined above, or use any that makes sense to your and your organisation.

 

Is it possible to get this wrong?


Again, if you overly complicate this, then people won’t use it.  Keep it simple.

 

Difficulty rating


We rate this a 1 out of 5 difficulty rating. This means that it requires a little if any technical skill to understand the requirement.  This control needs a documented Classification scheme which you need to document.

 

More questions?



Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused by how to implement n RBAC process or identify the key roles in your organisation, just get in touch and we’ll be happy to help.

 

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.

124 views
bottom of page