---

---

Purpose of Information Classification

Classifying information is a pillar of an ISO 27001 ISMS because it serves as a central reference point for policies, procedures, and any business activities that handle data. It sets out the rules on what can and cannot be done with the data.

Control 5.12 helps organisations define their data classifications, which in turn provides some key benefits.

• Employees and other stakeholders can easily understand what level of protection is needed and why.
• Organisations can apply appropriate security controls based on the sensitivity or criticality of the information.
• Helps people handle data consistently and confidently across the organisation.

Classification also ensures that information protection aligns with legal requirements, business risks, and the need for information sharing.

---

Creating a Practical Classification Scheme

A good classification scheme doesn’t need to be complex, but it must be clear, consistent, and aligned with how your business actually operates. With this in mind, here’s how I would go about it;

1. Define the Classification Levels

When I’m coaching ISO 27001 clients, I tend to encourage the simplest structures per the classifications below, but there is no definitive standard in ISO 27001. A multinational bank will have a very different approach to classification than a small SaaS business.

Classification	Description
Confidential	Data that should only be accessible by specific role, or named individuals.
Internal	Data that can be shared freely with anyone within the organisation, but not externally without permission.
Public	Data that can be freely shared outside the organisation

In your information classification scheme, you then provide clear guidance and examples for each classification type so staff know what to do and which governance applies to each type of data.

I do recommend that smaller companies keep the classifications to a minimum. There are two key reasons: it makes overall classification management easier (fewer categories = less complexity), and it’s much easier for people to understand and therefore comply with.

2. Define the Classification Criteria

The next step is to build out the criteria for each classification, which tells everyone, ‘this is how you handle this type of data’.

The following is a suggested list of criteria which you can evaluate and use. I don’t recommend using all of them, just whatever resonates with you.

Criterion	How long should the information of this classification be kept, either by reference to a retention schedule or stated directly?
Label or marker *	The exact word used for this classification in your terminology (e.g. “Confidential”). What appears on documents, in metadata, in email subject lines.
Visual or system marking convention	How the classification is displayed: header text, footer text, watermark, sensitivity label colour, metadata field.
Default access *	The baseline access rule: public, anyone in the organisation, named role groups only, named individuals only.
Who can grant or change access	Owner-only, line manager, ISMS Manager, or any role. The access governance question that’s often left undefined.
External access rules	Whether and how the information can be shared outside the organisation, and what controls apply (NDA required, named recipients only, time-bounded).
Permitted storage locations *	The explicit exclusions: personal cloud accounts, personal devices, public-facing storage, and removable media.
Prohibited storage locations *	How information can be transferred: internal email, encrypted email, approved file-sharing tools, secure portals, and physical handover.
Permitted transfer methods *	Encryption requirements (e.g. TLS, S/MIME), password protection, and secure courier for physical media.
Required protections in transit	What event causes information to be classified at this level: creation, receipt from an external source, contractual obligation, or regulatory requirement?
Restrictions on transfer	Geographic restrictions (UK only, EU only, international transfer rules), recipient verification requirements. Encryption requirements
Workplace handling rules	Clear desk, screen privacy, what can be printed, what can be left unattended, what can be discussed in open or public spaces.
Remote and travel handling	Specific rules for working with this classification outside the office, on public Wi-Fi, or in transit.
Retention period	The specific method required when information is no longer needed: empty the recycle bin, shred to a standard, secure wipe to a standard, or certified destruction.
Disposal method *	The systems or locations where information of this classification may be stored: SharePoint, approved cloud services, encrypted devices, on paper, and locked cabinets.
Disposal evidence	Whether a record of disposal is required, and what that record should contain (date, item, method, person).
Reporting expectations on loss or compromise *	Whether the loss or suspected compromise needs to be reported, who to, and how quickly.
Severity implications	Whether incidents involving this classification automatically meet a particular severity threshold for incident management.
Owner role *	Which role typically owns information of this classification (links back to Control 5.9 asset ownership).
Approval requirements	Whether certain handling decisions (external sharing, extended retention, declassification) need explicit approval, and from whom.
Initial classification trigger	What event causes information to be classified at this level: creation, receipt from external source, contractual obligation, regulatory requirement.
Review or reclassification cadence	Whether information at this classification needs periodic review for whether the classification is still appropriate, and at what interval.
Declassification rules	Whether and how the classification can be reduced over time, and who can authorise it.

Evaluation of the CIA for Each Classification

Back to the CIA triad of information security here. Use it as a lens through which to determine the criteria and set the standard for each level of classification.

As a reminder, the CIA helps you evaluate the following;

• Confidentiality – Would disclosure cause harm?
• Integrity – Is accuracy and trustworthiness important?
• Availability – Would downtime cause operational or reputational damage?

An Example: Internal Classification

To show how this works in practice, here’s how a typical business might define its “Internal” classification against the eight mandatory criteria. Internal is the everyday business category: information that isn’t sensitive enough to be Confidential but isn’t intended for public consumption either. Most of what flows through a smaller business on any given day sits here.

Criterion	Definition for Internal Information
Label or marker	“Internal”. Used on document headers/footers, in metadata fields, and in sensitivity labels where applied.
Default access	Approved company systems only: SharePoint, OneDrive (company accounts), the company file server, and approved SaaS tools (CRM, HR system, accounting system). Encrypted company-issued devices.
Permitted storage locations	Personal cloud accounts (personal Dropbox, Gmail, iCloud), personal devices not enrolled in MDM, public file-sharing services, and removable media unless encrypted and authorised. Information should not be shared in public AI tools (e.g. free-tier ChatGPT, Claude, Gemini) unless the prompt has been reviewed for personal data and IP.
Prohibited storage locations	Personal cloud accounts (personal Dropbox, Gmail, iCloud), personal devices not enrolled in MDM, public file-sharing services, removable media unless encrypted and authorised. Information should not be shared in public AI tools (e.g. free-tier ChatGPT, Claude, Gemini) unless the prompt has been reviewed for personal data and IP.
Permitted transfer methods	Internal company email, approved collaboration tools (Teams, Slack), approved file-sharing links (SharePoint, OneDrive shared with named recipients), printed copies handed directly to authorised recipients.
Disposal method	Electronic: standard delete from approved systems is sufficient (the systems’ own retention and backup processes handle secure disposal). Paper: cross-cut shredder or designated confidential waste bin. Devices: handled by IT under the device retirement process (see Control 7.14).
Reporting expectations on loss or compromise	Suspected loss, accidental external disclosure, or compromise should be reported to the line manager and the ISMS Manager (or designated incident contact) within one working day. Likely to be classified as a minor incident unless circumstances suggest otherwise.
Owner role	The owner of the system or process that created the information. Typically a department head or service owner (e.g. Head of HR for HR-related internal documents, IT Manager for internal IT documentation).

3. Document Your Policy

I tend to include the classification scheme in the main Information Security Policy because everyone should know it and read the InfoSec policy. However, it’s not required, so you may choose to put it in a separate policy. Either way, you need to ensure it’s published and communicated to everyone.

---

Information Classification Scheme Template

Download a ready-to-use Information Classification Scheme template (Word document, fully editable). Includes three classifications, eight criteria each, worked examples for SMEs, a quick-reference handling guide, and a document control section ready for approval and review.

---

Embedding Classification in Day-to-Day Operations

In my experience, the problem is that people read your information classifications and go “oh, yeah, I get it,” but then promptly put the document down and do nothing. Possibly more than any other control, you’ll need to put your weight behind this one consistently, or it will falter. Here are some areas where you look to do that.

Training & Awareness

As per each policy you publish under ISO 27001, and the Clauses requiring training, communication and awareness, everyone in the organisation should understand your classification. This can be included in onboarding, refresher training, and internal policies.

• Why classification matters
• How to classify new content
• What to do if something is misclassified

Don’t just do a ‘once and done’ policy publication or all-hands talk; you really will need to breathe life into this because it should touch every member of staff.

Tooling

There are a host of tools that can help you with this, and even for a smaller business, they aren’t necessarily out of reach or costly. Most SMEs already have the underlying tools as part of their Microsoft 365 or Google Workspace subscription; the question is whether they’ve enabled them.

Microsoft 365 and Microsoft Purview

If you’re a 365 shop, the relevant capability is called Sensitivity Labels, which sits within Microsoft Purview Information Protection. In practical terms, this lets you do four useful things:

• Define labels that mirror your classification scheme. Public, Internal, Confidential, Restricted (or whatever your scheme uses). Labels appear in Word, Excel, PowerPoint, Outlook, and on SharePoint sites and Teams channels.
• Make labelling mandatory. You can configure 365 so that users must apply a label before they can save a document or send an email. No more “I forgot to classify it”; the system won’t let them save it without making a choice.
• Automatically suggest or apply labels based on content. If Purview detects credit card numbers, NHS numbers, or other patterns you’ve defined, it can either apply the label automatically or prompt the user to apply it with a “we noticed this looks Confidential, do you want to label it?” suggestion.
• Enforce protections per classification. Encryption, external sharing restrictions, watermarks, and access controls can all be tied to the label rather than configured separately. Apply the label, and the protections follow.

The cost reality for SMEs: basic manual labelling is included with Microsoft 365 Business Premium, which is the natural subscription for most small businesses. Automatic labelling and the more advanced features need an E5 licence or a separate Information Protection add-on, which is a meaningful expense. For most SMEs, manual labelling with mandatory enforcement is the right starting point, and it’s already paid for if you’re on Business Premium.

Microsoft Purview Sensitivity Labels: https://learn.microsoft.com/en-us/purview/sensitivity-labels

Google Workspace

Google’s equivalent is Drive Labels (also called Classification Labels). The core capability is similar to Microsoft’s:

• Define classification labels that users apply to Drive files, including Docs, Sheets, Slides, PDFs, and Gmail messages.
• Automatic default classification. Files created within certain shared drives or by certain user groups can be auto-labelled, which solves the “I forgot to label it” problem in a different way.
• DLP rules tied to labels. You can stop labelled files from being shared externally, prevent emails containing certain labels from being sent outside the company, and similar.
• AI-based classification (Workspace editions with DLP). Google has an AI classifier that learns from the examples you provide and automatically applies labels to new and existing files.

The cost reality for Google Workspace SMEs: basic Drive Labels are available in Business Standard and above. The more advanced automatic classification and DLP features require Enterprise Standard or higher, which noticeably increases the licence cost. As with 365, manual labelling is usually enough for an SME starting point.

Google Drive Labels admin guide: https://support.google.com/a/answer/9292382

Practical guidance

For most SMEs setting this up for the first time, I’d suggest the following order:

1. Define the scheme on paper first. Don’t open the admin console before you’ve decided what your classifications are and what they mean. The temptation is to play with the tooling and let it shape the scheme, which usually produces a scheme that fits the tool rather than the business.
2. Start with manual labelling, not automatic. Users need to understand the scheme before the system starts applying labels for them. Three to six months of manual labelling with mandatory enforcement gives you both the behaviour change and the data you’d need to tune automatic rules later.
3. Turn on mandatory labelling once people are used to seeing the labels. This is the single biggest practical step you can take. It makes labelling a forced choice rather than an optional one, and the choice-architecture change does more than any amount of training.
4. Add automatic suggestion before automatic application. “We’ve detected this might be Confidential, do you want to label it?” is a useful nudge. Automatic application without user awareness creates surprises and resentment.
5. Don’t try to label retrospectively at first. Focus on getting new content labelled correctly. Legacy content can be tackled later, either through bulk labelling exercises or as documents are accessed and edited.

A practitioner observation worth making: the tooling is the easy part. The hard part is the discipline of using it consistently, which loops back to the training and awareness point above.

A perfectly configured Purview tenant where users routinely tag everything as “Internal” because it’s the least friction option is not really a working classification scheme; it’s classification theatre with admin overhead. Whatever tool you use, the success measure is whether the labels are doing useful work (driving DLP decisions, restricting external sharing, informing access reviews) or whether they’re just decoration.

What to Do About Existing Information

A genuinely common question when implementing classification for the first time: “Do we have to go back and label everything we’ve ever produced?”

The honest answer I give is no. Going back through years of historical content, trying to apply classifications retrospectively is, in almost all cases, a waste of time and budget. The work is enormous, the value is marginal, and the discipline tends to collapse before the project finishes. I’d actively advise against it for most SMEs.

The pragmatic approach is forward-looking:

A small practitioner observation worth making: the SMEs I’ve seen attempt comprehensive retrospective classification have almost universally regretted it. The ones who took a forward-looking approach are also the ones whose classification schemes are still working three years later, because they didn’t burn through their goodwill or budget on a backlog that didn’t justify the investment.

The auditor’s view on this is usually pragmatic, too. Auditors don’t expect you to have classified every document from the past five years. They expect to see that you’ve defined the scheme, communicated it, started using it for new content, and have a sensible position on legacy data. “Anything created or substantively modified from [date] onwards is classified per the scheme; legacy content is treated as Internal by default and classified as it’s accessed” is a perfectly defensible answer.

If you’re using Microsoft Purview or Google Workspace classification tools, both can be configured to apply default classifications retrospectively in bulk if you decide later that you do want to address legacy content. But I’d suggest that’s a decision to revisit eighteen months in, once the forward-looking scheme is bedded in, not something to tackle on day one.

---

What Auditors Will Look For

1. The existence of a classification scheme. The first thing the auditor will ask for is to see the classification scheme, whatever method you have chosen to publish that. They’ll want to take a look at the classifications and criteria. I’ll remind you again, per the earlier clauses, that the auditor isn’t there to judge whether this is a ‘good’ or ‘bad’ classification, but rather to confirm that it has been considered, documented, and communicated to the business.
2. The scheme can be consistently evidenced in action. You can’t just flash a policy at the auditor and think you are done; you’ll need to show evidence of different data types being classified: documents, spreadsheets, employee data, client data, etc.
3. Staff understand and can explain the classification system. An auditor may ask to speak to a member of staff, and during that discussion, ask about the information classification. If they can’t articulate the levels and where to go to check handling guidance, the auditor will find a non-conformity.

---

Common Issues I Find During Internal Audits

Classification is one of those controls where the scheme exists on paper but doesn’t quite survive contact with daily working. Here’s what I commonly see during internal audits. Not all are outright noncompliances, but some are simply observations over the years.

• Over-classification. Everything is marked “Confidential” because it feels safer or because staff aren’t sure where the line is. The result is a scheme that doesn’t differentiate, so the handling rules don’t either, and classification isn’t doing any useful work. If 90% of your content is Confidential, the scheme has effectively collapsed into a single level.

• Under-classification. The opposite issue is also true. Where labelling isn’t mandatory, staff will skip it because it adds friction, so the bulk of content sits unclassified. The scheme exists but isn’t being applied, which is the answer auditors will spot in their first interview. The fix is usually mandatory labelling in your tooling, supported by training and line manager support.

• Mixed-classification documents handled inconsistently. A board pack contains public press releases alongside Confidential financial projections. Different members of staff treat the whole document differently because there’s no rule for the mixed case. The scheme should specify what to do (typically: classify at the highest level present or redact and split), and the rule should be documented somewhere staff can find it.

---

How ISO 27001 Control 5.12 links to other clauses and controls

Classification is one of the most interconnected controls in Annex A because it provides the basis for differential handling on which several other controls depend.

Understanding the relationships helps you avoid documenting the same thing in multiple places. There are quite a few links, so here they are;

• Annex A 5.9 – Inventory of information and associated assets: The assets you’ve identified under 5.9 should carry the classifications you define under 5.12. The two registers should agree on which information is which.
• Annex A 5.10 – Acceptable use of information and other associated assets: The handling rules in the AUP are driven by the classification scheme. The AUP says how staff handle Confidential information; 5.12 defines what Confidential means.
• Annex A 5.13 – Labelling of information: Classification is the what; labelling is the how. 5.13 specifies how the classifications you’ve defined under 5.12 are visibly marked on documents, in emails, and in metadata.
• Annex A 5.14 – Information transfer: Transfer rules differ by classification. The transfer protections specified under 5.14 should map directly to the permitted transfer methods defined in your classification scheme.
• Annex A 5.15 – Access control: Access decisions are driven by classification. Who can see Confidential information is an access control question that depends on the classification scheme being in place.
• Annex A 7.10 – Storage media: Storage media handling rules differ by classification. The encryption, transport, and disposal requirements for media should map to the classification of the information they carry.
• Annex A 7.14 – Secure disposal or re-use of equipment: The disposal method specified per classification feeds the operational disposal control. Confidential data needing secure wipe under 5.12 is operationalised through 7.14.
• Annex A 8.24 – Use of cryptography: Encryption decisions are typically driven by classification. The “what needs to be encrypted” question is usually answered by reference to the classification scheme.

---

FAQs

---

Conclusion

Information classification is the foundation control of an ISMS. Get this right and a lot of other things become easier: the AUP knows what it’s protecting, the access controls know who should see what, the disposal procedures know what level of destruction to apply, and the staff have a shared language for talking about information sensitivity. Get it wrong and the same questions get answered differently in different places, which is where consistency breaks down and audit findings start to appear.

The pragmatic answer for most SMEs is the simple one: three classifications, eight criteria per classification, mandatory labelling in whichever tool you already pay for, a forward-looking implementation that accepts legacy content stays unclassified by default, and a willingness to revisit the scheme after twelve months when you’ve seen what actually happens in practice.

If you’d like a ready-made Information Classification Scheme template alongside the wider ISMS documents, the Iseo Blue ISO 27001 Toolkit includes both. Or if you’d rather talk through how to right-size the scheme for your specific business, the free 30-minute consultation is genuinely free and genuinely 30 minutes.

---