One of the areas we are asked most questions about is that of the information classification requirements of the ISO/IEC 27001:2022 standard. To be specific, this is mainly covered in a pair of reference controls within Annex A, section A.5 Organisational controls, which cover classification of information (control A.5.12) and labelling of information (control A.5.13) within the scope of your Information Security Management System (ISMS).
The questions we are most commonly asked are the following:
What classifications should we use?
How should we go about labelling our information?
What kind of handling procedures do we need?
Let’s take each of these in turn and try to shed some light on the subject.
1. What classifications should we use?
The ISO/IEC 27001 standard doesn’t say much about information classification (although the ISO/IEC 27002 guidance publication has some useful tips) so the details of how you implement the control are pretty much left up to you. The first decision to make is how many levels of classification to have. It’s tempting to over-complicate this in order to reflect the various nuances of your information, but our advice would be to resist this temptation and stick to the lowest number you can reasonably get away with. The trend amongst governments is in this direction, with the UK having recently reduced its classification levels from five to three (Official, Secret and Top Secret), so you’ll be in good company. This doesn’t include information that isn’t classified at all, often referred to as “Public” and which doesn’t need to be protected or labelled.
Choice of names for your classification levels are also up to you. Some of the most common choices are (listed from highest to lowest):
Top secret
Secret
Confidential
Restricted
Protected
Internal Use Only
Names chosen should be appropriate to your organisation and a clear definition given of what they mean in practical terms.
2. How should we go about labelling our information?
Having decided what you’re going to call your classification levels, how do you make it clear to everyone involved which information carries which level? Often organisations feel slightly overwhelmed with the thought that they have to suddenly label every single electronic and paper document they have, whilst working out what to do with data held in computer systems too.
The key here is to define an approach that addresses the important stuff first and puts a stake in the ground so that labelling starts from a specified point. Look to label the really confidential, high-value information first as this is likely to be a much smaller volume than the day-to-day less sensitive information. This requires you to have an accurate asset inventory (control A.5.9 Inventory of information and other associated assets) so that you know what you’re dealing with. An approach that begins to label all new assets from a certain date will make you feel you are starting to get some control over the issue, whilst considering how to address the historical items. Information assets should have owners and they are the ones who should be looking at labelling so it’s not all down to a single person or department to achieve it; spread the load as much as possible.
Grouping items with the same classification level will also help to make things clear without a huge administrative overhead. Maybe everything held in a particular room is confidential and locking the door and labelling it as such will be enough to meet the need. You may need to invest in a stamp for existing paper copies that need to be individually labelled, but obviously items that are printed in the future should be electronically labelled using headers, footers, watermarks etc.
There are software tools available to help you with this task. These can use metadata to reflect classification level and then prevent certain types of documents being used in particular ways according to a defined policy e.g. confidential documents should not be emailed outside the organisation. The Microsoft 365 environment also offers some useful tools if you invest in the right subscription.
For data held in computer systems and databases etc. you will need to consider how to label it whilst it’s in place and also if it needs to go anywhere e.g. printed or extracted onto removable media. Warning messages at logon and procedural controls are probably your best approaches here.
3. What kind of handling procedures do we need?
Having classified and labelled our assets, we also need to make sure that they remain appropriately protected throughout their lives, particularly if they go beyond the organisation’s boundaries e.g. to another location via courier or to a third party via electronic transfer. This is really about understanding the ways in which your information assets are used and ensuring that procedures are in place to keep them secure. Again, starting with the highest level assets is usually a good idea. This is an area in which there have been many notorious public breaches to do with government departments with sensitive information such as names, addresses and tax information going missing, sometimes in unencrypted form.
So think about whether your information is saved onto other media, printed, transmitted, emailed or otherwise processed in a way that makes a procedure necessary.
Final thoughts
Of all of the ISO/IEC 27001 reference controls, the ones to do with classification can be the hardest to put in place. What’s needed is a clear approach that uses common sense to protect the most important assets first, whilst recognising that it’s going to be quite a long journey which will probably never end. But be in no doubt that this should be a fundamental building block of your information security strategy, underpinning many other controls such as access management, physical security and cryptography so it’s worth spending the time to get it right.
