ISO 27001 Control 5.12 Classification of information

Classifying Information Effectively

Information classification is the bedrock of good data protection. Without knowing what’s sensitive or business-critical, it’s impossible to apply the right level of security. That’s where ISO 27001 Control 5.12 steps in. It helps organisations understand what information needs protection — and to what extent — by defining a clear and consistent classification process.

---

---

Purpose of Information Classification

The goal of classifying information is to:

• Understand what level of protection is needed, and why.
• Apply appropriate security controls based on how sensitive or critical the information is.
• Help people handle data consistently and confidently across the organisation.

Classification also ensures that information protection aligns with legal requirements, business risks, and the need for information sharing.

---

Creating a Practical Classification Scheme

A good classification scheme doesn’t need to be complex — but it must be clear, consistent, and aligned with how your business actually operates. Start with:

1. Define Classification Levels

Use a small number of easy-to-understand levels, such as:

• Public – OK to share externally.
• Internal – For internal use only.
• Confidential – Sensitive information needing protection.
• Restricted – Highly sensitive, with access limited to specific roles.

These levels can reflect the potential impact if the information were lost, altered, or disclosed without permission.

2. Set Classification Criteria

Base your criteria on:

• Confidentiality – Would disclosure cause harm?
• Integrity – Is accuracy and trustworthiness important?
• Availability – Would downtime cause operational or reputational damage?

3. Consider All Formats and Assets

Apply classification not just to documents, but also to:

• Databases
• Emails
• Devices storing information
• Physical records
• System-generated reports

4. Assign Ownership

Every piece of information should have an owner who is responsible for assigning and reviewing its classification. That way, changes in sensitivity over time are tracked and handled appropriately.

---

Embedding Classification in Day-to-Day Operations

1. Align with Access Control

Your classification system should tie into how you control access to information (see Control 5.1). The more sensitive the information, the tighter the access restrictions.

2. Train and Communicate

Everyone in the organisation should understand:

• Why classification matters
• How to classify new content
• What to do if something is misclassified

This can be included in onboarding, refresher training, and internal policies.

3. Review and Update Regularly

Classification isn’t a one-off task. Review classifications when:

• Information changes in value or risk
• Projects end or shift
• Content is made public or archived

This prevents “over-classifying” outdated material or leaving newer content unprotected.

---

Tackling Common Challenges

1. Avoid Over- or Under-Classification

Too much classification can create unnecessary admin and slow down operations. Too little leaves data exposed. Focus on business value and risk — not just labels.

2. Managing Shared Information

When you share data with external parties, be aware:

• Their classification schemes may differ.
• Agreements should include a way to translate or interpret each other’s classifications.

3. System Limitations

If a system can’t support complex classification rules, look for workarounds such as tagging, folder-level protection, or export rules.

---

FAQs

---

Conclusion

A strong classification system gives your organisation a shared understanding of what matters — and how to protect it. When classification is simple, consistent, and aligned to your business needs, it becomes second nature to staff. That’s the real win: protecting data without slowing people down.