Classification of Information

It is an organizational control requiring information to be classified based on its sensitivity and criticality to the organization, ensuring appropriate protection levels are applied based on confidentiality, integrity, and availability needs.

ISO 27001 does not mandate a specific number, but best practice typically involves three or four levels, such as Public, Internal Use, Confidential, and Restricted/Secret, to balance granularity with usability.

Common labels include 'Public' (marketing materials), 'Internal' (policies, phone lists), 'Confidential' (employee records, contracts), and 'Restricted' (merger plans, encryption keys).

The Asset Owner (identified in control A.5.9) is ultimately responsible for classifying the information assets they own, as they best understand the value and sensitivity of the data.

Previously control A.8.2.1 in the 2013 version, the 2022 update renumbers it to A.5.12 under Organizational controls and explicitly adds 'relevant interested party requirements' as a basis for classification.

Auditors check for a documented classification scheme within policies, evidence that assets in the inventory have classification tags, and consistent labelling on sampled documents or digital assets. WatchDog Security's Compliance Center can help track A.5.12 evidence requests and highlight gaps where asset records are missing classification so remediation is measurable.

Start by defining your classification levels (e.g., 1-4), define the impact of disclosure for each, specify handling rules (e.g., encryption requirements) for each level, and train staff on how to apply them.

Classification acts as the input for Access Control (A.5.15); high-classification data (e.g., Confidential) requires stricter authentication (MFA) and tighter 'need-to-know' restrictions than Public data.

Common challenges include over-classifying documents (making everything 'Confidential'), inconsistency in manual labelling by employees, and failing to de-classify information when it is no longer sensitive.

It helps identify and label 'Special Category' data or PII as high-risk, triggering the necessary technical and organizational measures (like encryption and DPIAs) required by GDPR Article 32.

Classification efforts often fail when labels exist in one place (like a policy) but don't propagate to the systems and inventories teams actually use, leading to inconsistent tagging and weak audit samples. WatchDog Security's Asset Inventory helps by storing a classification field for information assets and associating it with ownership and system context, making it easier to validate that critical assets are consistently categorized.

Audits usually require you to show the scheme exists, assets are tagged, and the process is repeatable over time—not just that a few documents were labeled on the audit week. WatchDog Security's Compliance Center helps by mapping A.5.12 to required evidence and tracking gaps (for example, missing classification on inventory items), so you can maintain an audit-ready trail of classification coverage and improvements.