What is information classification and how is it relevant to ISO 27001?

Information classification is the process of making sure information assets receive an adequate level of protection. Organisations do this by assessing the value of the assets and classifying them.

This process will be familiar to anyone who has implemented ISO 27001, as it forms the basis of control objective A7.2, Information Classification.

Organisations can meet this requirement by developing a set of guidelines for classifying information and what to do with it. For example, an organisation might create three levels of classification (unclassified, internal and restricted). It will then provide examples of each of these in its classification guidelines and detail the measures that should be in place before any information crosses the organisation’s physical or logical boundary.

A surprisingly tricky job

Classifying data can be repetitive and time consuming. Two of the most common methods are manually adding classifications to Microsoft Word or other programs, or using physical measures such as stamps to apply classifications to each document.

It’s easy to accidentally mislabel something or skip past it with either of these methods. Organisations need to be aware of these risks and address them in their classification guidelines, perhaps having a second person check the information or using both methods.

