{"id":4544,"date":"2014-05-12T21:29:14","date_gmt":"2014-05-12T21:29:14","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/014\/05\/12\/information-classification-according-to-iso-27001\/"},"modified":"2025-11-12T21:11:28","modified_gmt":"2025-11-12T21:11:28","slug":"information-classification-according-to-iso-27001","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2014\/05\/12\/information-classification-according-to-iso-27001\/","title":{"rendered":"How to classify information according to ISO 27001 in four steps"},"content":{"rendered":"<p><em>Updated:\u00a0November 14, 2022., according to ISO 27001:2022 revision.<\/em><\/p>\n<p>Classification of information is certainly one of the most attractive parts of information security management, but at the same time, one of the most misunderstood. This is probably due to the fact that historically, information classification was the first element of information security that was being managed \u2014 long before the first computer was built, governments, military, and even corporations labeled their information as confidential. However, the process of how it worked remained somewhat of a mystery.<\/p>\n<p>So, in this article I\u2019ll give you an outline of how information classification works, and how to make it compliant with <a href=\"https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>, the leading information security standard. Although classification can be done according to other criteria, I\u2019m going to speak about classification in terms of confidentiality, because this is the most common way to specify information classification levels.<\/p>\n<div class=\"post-featured\">\n<div class=\"post-featured--title\">The four-step process for classifying information according to ISO 27001:<\/div>\n<div class=\"post-featured--content\">\n<ol class=\"list-bracket\">\n<li>Entering the asset in the <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=inventory-of-assets\" target=\"_blank\" rel=\"noopener\">Inventory of Assets<\/a><\/li>\n<li>Classification of information<\/li>\n<li>Information labelling<\/li>\n<li>Information handling<\/li>\n<\/ol>\n<\/div>\n<\/div>\n<h2>The four-step process for <strong>classifying<\/strong> information<\/h2>\n<p>Good practice for classifying information says that classification should be done via the following process:<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-21606\" src=\"\/wp-content\/uploads\/\/sites\/5\/2014\/05\/classification-iso-27001.jpg\" alt=\"Information classification \u2013 How to do it according to ISO 27001\" width=\"1000\" height=\"628\" srcset=\"\/wp-content\/uploads\/sites\/5\/2014\/05\/classification-iso-27001.jpg 1000w, \/wp-content\/uploads\/sites\/5\/2014\/05\/classification-iso-27001-300x188.jpg 300w, \/wp-content\/uploads\/sites\/5\/2014\/05\/classification-iso-27001-768x482.jpg 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>This means that: (1) the information should be entered in the Inventory of Assets (control A.5.9 of ISO 27001), (2) it should be classified (A.5.12), (3) it should be labeled (A.5.13), and finally, (4) it should be handled in a secure way (A.5.10).<\/p>\n<p>In most cases, companies will develop an <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=information-classification-policy\" target=\"_blank\" rel=\"noopener\">Information Classification Policy<\/a>, which\u00a0should describe all these four steps for classifying information \u2014 see the text below for each of these steps.<\/p>\n<p>Please note that this process applies to both data (the raw recorded material that has no specific meaning) and information (the meaning you give to, and insights you get from data). In a classification context, generally data and information are treated the same.<\/p>\n<p><div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2><strong>Entering the asset in the inventory (asset register)<\/strong><\/h2>\n<p>The point of entering the asset in the inventory is that you know which information you have in your possession, and who is responsible for it (i.e., who is the owner).<\/p>\n<p>Information can be in different forms and types of media, e.g.:<\/p>\n<ul>\n<li>electronic documents<\/li>\n<li>information systems \/ databases<\/li>\n<li>paper documents<\/li>\n<li>storage media (e.g., disks, memory cards, etc.)<\/li>\n<li>information transmitted verbally<\/li>\n<li>email<\/li>\n<\/ul>\n<h2>Classification of information<\/h2>\n<p>The purpose of classifying information is to categorize it based on its level of sensitivity and its importance to the organization. Normally, the higher the classification level, the more important the information is.<\/p>\n<p>This helps organizations to understand the importance of each type of information for them, and to prioritize information protection efforts (information with higher classification levels would require more resources for its protection), increasing information security and regulatory compliance.<\/p>\n<p>The most common attribute used for information classification is confidentiality, although you can also find classifications based on integrity and availability.<\/p>\n<h2>Who is responsible for classifying information?<\/h2>\n<p>In most cases, the asset owner is responsible for the confidentiality classification of the information, and this is usually done based on the results of the risk assessment: The higher the value of the information (i.e., the higher the consequence of breaching confidentiality), the higher the classification level should be. (See also <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-risk-assessment-treatment-management\/\" target=\"_blank\" rel=\"noopener\">ISO 27001 Risk Assessment, Treatment, &amp; Management: The Complete Guide.<\/a>)<\/p>\n<h2>Defining confidentiality levels<\/h2>\n<p>ISO 27001 does not prescribe document classification levels or information classification levels (i.e., there are no ISO 27001 information classification or ISO 27001 data classification schemes, or other classification standards) \u2014 this is something you should develop on your own, based on what is common in your country or in your industry.<\/p>\n<h2>Examples of information classification levels<\/h2>\n<p>The bigger and more complex your organization is, the more levels of confidentiality you will have \u2014 for example, for a mid-size organization you may use these kinds of information classification levels with three confidential levels and one public level:<\/p>\n<ul>\n<li><strong>Confidential<\/strong> (top confidentiality level)<\/li>\n<li><strong>Restricted<\/strong> (medium confidentiality level)<\/li>\n<li><strong>Internal use<\/strong> (lowest level of confidentiality)<\/li>\n<li><strong>Public<\/strong> (everyone can see the information)<\/li>\n<\/ul>\n<p>Very often, a company may have two different classification schemes in place if it works both with the government and in the private sector. For example, NATO requires the following classification with four confidential levels and two public levels:<\/p>\n<ul>\n<li>Cosmic Top Secret<\/li>\n<li>NATO Secret<\/li>\n<li>NATO Confidential<\/li>\n<li>NATO Restricted<\/li>\n<li>NATO Unclassified (copyright)<\/li>\n<li>NON SENSITIVE INFORMATION RELEASABLE TO THE PUBLIC<\/li>\n<\/ul>\n<p>However, is important to note that in very specific situations, where information importance is homogeneous, organizations can adopt a single classification level. It is perfectly acceptable by the standard to use single or multiple confidentiality levels as the ISO 27001 information classification\/ISO 27001 data classification structure.<\/p>\n<h2>Information labeling<\/h2>\n<p>Once you classify the information, then you need to label it appropriately \u2014 you should develop the guidelines for each type of information asset on how it needs to be classified \u2014 again, ISO 27001 is not prescriptive here, so you can develop your own rules.<\/p>\n<p>For example, you could set the rules for paper documents such that the confidentiality level is to be indicated in the top right corner of each document page, and that it is also to be indicated on the front of the cover or envelope carrying such a document, as well as on the filing folder in which the document is stored.<\/p>\n<p>Labeling of information is usually the responsibility of the asset owner.<\/p>\n<h2>Information handling<\/h2>\n<p>This is usually the most complex part of the classification process \u2014 you should develop rules on how to protect each type of asset depending on the level of confidentiality. For example, you could use a table in which you must define the rules for each level of confidentiality for each type of media, e.g.:<\/p>\n<table class=\"table\" style=\"text-align: left; width: 100%;\" border=\"0\" cellspacing=\"2\" cellpadding=\"2\">\n<thead>\n<tr>\n<td style=\"width: 25%;\"><\/td>\n<td style=\"width: 25%;\">Internal use<\/td>\n<td style=\"width: 25%;\">Restricted<\/td>\n<td style=\"width: 25%;\">Confidential<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"padding-left: 5px;\">Electronic documents<\/td>\n<td style=\"padding-left: 5px;\"><\/td>\n<td style=\"padding-left: 5px;\"><\/td>\n<td style=\"padding-left: 5px;\"><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 5px;\">Information systems<\/td>\n<td style=\"padding-left: 5px;\"><\/td>\n<td style=\"padding-left: 5px;\"><\/td>\n<td style=\"padding-left: 5px;\"><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 5px;\">Paper documents<\/td>\n<td style=\"padding-left: 5px;\"><\/td>\n<td style=\"padding-left: 5px;\"><\/td>\n<td style=\"padding-left: 5px;\"><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 5px;\">Storage media<\/td>\n<td style=\"padding-left: 5px;\"><\/td>\n<td style=\"padding-left: 5px;\"><\/td>\n<td style=\"padding-left: 5px;\"><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 5px;\">Verbally transmitted information<\/td>\n<td style=\"padding-left: 5px;\"><\/td>\n<td style=\"padding-left: 5px;\"><\/td>\n<td style=\"padding-left: 5px;\"><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 5px;\">Email<\/td>\n<td style=\"padding-left: 5px;\"><\/td>\n<td style=\"padding-left: 5px;\"><\/td>\n<td style=\"padding-left: 5px;\"><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>So in this table, you can define that paper documents classified as Restricted should be locked in a cabinet, documents may be transferred within and outside the organization only in a closed envelope, and if sent outside the organization, the document must be mailed with a return receipt service.<\/p>\n<p>As before, ISO 27001 allows you the freedom to set your <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/seven-steps-for-implementing-policies-and-procedures\/\" target=\"_blank\" rel=\"noopener\">own rules<\/a>, and this is usually defined via the <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=information-classification-policy\" target=\"_blank\" rel=\"noopener\">Information Classification Policy<\/a>, or the classification procedures. To read an article about how information classification can be applied in a specific law firm scenario, click <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2019\/10\/15\/iso-27001-for-law-firms-3-ways-to-maintain-confidentiality\/\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>So, as you can see, the 4-step classification of documents might be complex, but it does not have to be incomprehensible \u2013 ISO 27001 actually allows you great freedom, and you should definitely take advantage of it: make the classification process both adapted to your special needs, but at the same time secure enough so that you can be sure your sensitive information is protected.<\/p>\n<p><em><span data-sheets-root=\"1\">If you need help with the information classification process, <a class=\"in-cell-link\" href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\">sign up for a free trial<\/a> of Conformio, the leading ISO 27001 compliance software.<\/span><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Updated:\u00a0November 14, 2022., according to ISO 27001:2022 revision. Classification of information is certainly one of the most attractive parts of information security management, but at the same time, one of the most misunderstood. This is probably due to the fact that historically, information classification was the first element of information security that was being managed &#8230;<\/p>\n","protected":false},"author":26,"featured_media":92122,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[381,545],"class_list":["post-4544","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-iso-27001","tag-information-classification"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4544","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4544"}],"version-history":[{"count":2,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4544\/revisions"}],"predecessor-version":[{"id":104330,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4544\/revisions\/104330"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/92122"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4544"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4544"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4544"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}