Blog ISO27001 & Information Classification – Common Questions

1. What classifications should we use?

The ISO/IEC 27001 standard doesn’t say much about information classification (although the ISO/IEC 27002 guidance publication has some useful tips) so the details of how you implement the control are pretty much left up to you. The first decision to make is how many levels of classification to have. It’s tempting to over-complicate this in order to reflect the various nuances of your information, but our advice would be to resist this temptation and stick to the lowest number you can reasonably get away with. The trend amongst governments is in this direction, with the UK having recently reduced its classification levels from five to three (Official, Secret and Top Secret), so you’ll be in good company. This doesn’t include information that isn’t classified at all, often referred to as “Public” and which doesn’t need to be protected or labelled.

Choice of names for your classification levels are also up to you. Some of the most common choices are (listed from highest to lowest):

• Top secret
• Secret
• Confidential
• Restricted
• Protected
• Internal Use Only

Names chosen should be appropriate to your organization and a clear definition given of what they mean in practical terms.

2. How should we go about labelling our information?

Having decided what you’re going to call your classification levels, how do you make it clear to everyone involved which information carries which level? Often organizations feel slightly overwhelmed with the thought that they have to suddenly label every single electronic and paper document they have, whilst working out what to do with data held in computer systems too.

The key here is to define an approach that addresses the important stuff first and puts a stake in the ground so that labelling starts from a specified point. Look to label the really confidential, high-value information first as this is likely to be a much smaller volume than the day-to-day less sensitive information. This requires you to have an accurate asset inventory (control A.5.9 Inventory of information and other associated assets) so that you know what you’re dealing with. An approach that begins to label all new assets from a certain date will make you feel you are starting to get some control over the issue, whilst considering how to address the historical items. Information assets should have owners and they are the ones who should be looking at labelling so it’s not all down to a single person or department to achieve it; spread the load as much as possible.

Grouping items with the same classification level will also help to make things clear without a huge administrative overhead. Maybe everything held in a particular room is confidential and locking the door and labelling it as such will be enough to meet the need. You may need to invest in a stamp for existing paper copies that need to be individually labelled, but obviously items that are printed in the future should be electronically labelled using headers, footers, watermarks etc.

There are software tools available to help you with this task. These can use metadata to reflect classification level and then prevent certain types of documents being used in particular ways according to a defined policy e.g. confidential documents should not be emailed outside the organization. Some examples of these tools are Boldon James, Titus and Digital Guardian. The Microsoft 365 environment also offers some useful tools if you invest in the right subscription.

For data held in computer systems and databases etc. you will need to consider how to label it whilst it’s in place and also if it needs to go anywhere e.g. printed or extracted onto removable media. Warning messages at logon and procedural controls are probably your best approaches here.

3. What kind of handling procedures do we need?

Having classified and labelled our assets, we also need to make sure that they remain appropriately protected throughout their lives, particularly if they go beyond the organization’s boundaries e.g. to another location via courier or to a third party via electronic transfer. This is really about understanding the ways in which your information assets are used and ensuring that procedures are in place to keep them secure. Again, starting with the highest level assets is usually a good idea. This is an area in which there have been many notorious public breaches to do with government departments with sensitive information such as names, addresses and tax information going missing, sometimes in unencrypted form.

So think about whether your information is saved onto other media, printed, transmitted, emailed or otherwise processed in a way that makes a procedure necessary.

Final thoughts

Of all of the ISO/IEC 27001 reference controls, the ones to do with classification can be the hardest to put in place. What’s needed is a clear approach that uses common sense to protect the most important assets first, whilst recognizing that it’s going to be quite a long journey which will probably never end. But be in no doubt that this should be a fundamental building block of your information security strategy, underpinning many other controls such as access management, physical security and cryptography so it’s worth spending the time to get it right.

Editor’s note: The original post was published in August 2017, and updates have been made in November 22 to reflect the new 2022 standard. 

More ISO27001 resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources