Understanding Information Classification in ISO 27001
- Home
- Blog
Categories
Latest Post
ISO 14001 Lead Auditor Course
ISO 14001 Foundations Course
ISO 14001 Internal Auditor Course
ISO 14001 Lead Implementer Course
Information classification is a cornerstone of information security management, yet often misunderstood. Historically, it was the first managed element of information security. Governments, militaries, and corporations labeled their information as confidential long before computers existed. The process, however, has remained somewhat of a mystery.
This guide outlines how information classification works and how to make it compliant with ISO 27001, the leading information security standard. While classification can follow other criteria, this guide focuses on confidentiality, the most common way to specify information classification levels.
The Four-Step Process for Classifying Information
Good practice for classifying information involves the following steps:
Entering the Asset in the Inventory of Assets
Classification of Information
Information Labeling
Information Handling
Step-by-Step Process
Entering the Asset in the Inventory
The goal is to know what information you possess and who is responsible for it. Information can exist in various forms and types of media, such as:
Electronic documents
Information systems/databases
Paper documents
Storage media (e.g., disks, memory cards)
Verbally transmitted information
Email
Classification of Information
Classify information based on its sensitivity and importance. Higher classification levels indicate more critical information. This helps prioritize protection efforts, enhancing security and regulatory compliance. The most common attribute for classification is confidentiality, although integrity and availability can also be used.
Responsibility: The asset owner typically classifies information based on risk assessment results. The higher the consequence of breaching confidentiality, the higher the classification level.
Defining Confidentiality Levels: ISO 27001 does not prescribe specific classification levels. Develop levels based on what’s common in your country or industry. For example, a mid-size organization might use:
Confidential (highest level)
Restricted (medium level)
Internal use (lowest level)
Public (everyone can see the information)
Information Labeling
After classification, label the information appropriately. Develop guidelines for each type of information asset. For example, paper documents’ confidentiality level could be indicated in the top right corner of each page, on the document cover or envelope, and the filing folder.
Information Handling
Develop rules to protect each type of asset based on its confidentiality level. For instance, paper documents classified as Restricted should be locked in a cabinet, transferred in a closed envelope, and mailed with a return receipt service if sent outside the organization.
Examples of Information Classification Levels
Larger and more complex organizations may have multiple confidentiality levels. For example, NATO uses:
Cosmic Top Secret
NATO Secret
NATO Confidential
NATO Restricted
NATO Unclassified
NON SENSITIVE INFORMATION RELEASABLE TO THE PUBLIC
In specific situations where information importance is homogeneous, a single classification level may suffice. Both single and multiple levels are acceptable under ISO 27001.
ISO 27001 Compliance
ISO 27001 does not prescribe exact rules for information classification, labeling, or handling. This flexibility allows you to create a classification process tailored to your needs while ensuring your information is protected.
