Sep 02 2022

What is ISO 27001 Information Classification?

Category: Information Classification,ISO 27kDISC @ 10:50 am

Information classification is a process in which organisations assess the data that they hold and the level of protection it should be given.

Organisations usually classify information in terms of confidentiality – i.e. who is granted access to view it. A typical system contains four levels of confidentiality:

  • Confidential (only senior management have access)
  • Restricted (most employees have access)
  • Internal (all employees have access)
  • Public information (everyone has access)

As you might expect, larger and more complex organisations will need more levels, with each one accounting for specific groups of employees who need access to certain information.

The levels shouldn’t be based on employees’ seniority but on the information that’s necessary to perform certain job functions.

Take the healthcare sector for example. Doctors and nurses need access to patients’ personal data, including their medical histories, which is highly sensitive.

However, they shouldn’t have access to other types of sensitive information, such as financial records.

In these cases, a separate classification should be created to distinguish between sensitive medical information and sensitive administrative information.

Where does ISO 27001 fit in?

Organizations that are serious about data protection should follow ISO 27001.

The Standard describes best practices for creating and maintaining an ISMS (information security management system), and the classification of information plays a crucial role.

Control objective A.8.2 is titled ‘Information Classification’, and instructs that organisations “ensure that information receives an appropriate level of protection”.

ISO 27001 doesn’t explain how you should do that, but the process is straightforward. You just need to follow four simple steps.

1) Enter your assets into an inventory

The first step is to collate all your information into an inventory (or asset register).

You should also note who is responsible for it (who owns it) and what format it’s in (electronic documents, databases, paper documents, storage media, etc.).

2) Classification

Next, you need to classify the information.

Asset owners are responsible for this, but it’s a good idea for senior management to provide guidelines based on the results of the organization’s ISO 27001 risk assessment.

Information that would be affected by more significant risks should usually be given a higher level of confidentiality. But be careful, because this isn’t always the case.

There will be instances where sensitive information must be made available to a broader set of employees for them to do their job. The information may well pose a threat if it’s confidentiality is compromised, but the organisation must make it widely available in order to function.

3) Labelling

Once you’ve classified your information, the asset owner must create a system for labelling it.

You’ll need different processes for information that’s stored digitally and physically, but it should be consistent and clear.

For example, you might decide that paper documents will be labelled on the cover page, the top-right corner of each subsequent page and the folder containing the document.

For digital files, you might list the classification in a column on your databases, on the front page of the document and the header of each subsequent page.

4) Handling

Finally, you must establish rules for how to protect each information asset based on its classification and format.

For example, you might say that internal paper documents can be kept in an unlocked cabinet that all employees can access.

By contrast, restricted information should be placed in a locked cabinet, and confidential information stored in a secure location.

Additional rules should be established for data in transit – whether it’s being posted, emailed or employees carry it with them.

You can keep track of all these rules by using a table like this:

Information classification table example

Use a table to simplify the data handling documentation process.

Source: What is ISO 27001 Information Classification

Introduction to Cataloging and Classification

Tags: classification, Introduction to Cataloging and Classification

Aug 08 2008

Risk Assessment and System Profiling

Category: Risk AssessmentDISC @ 2:39 am

In real estate it’s all about location and the same way to succeed in information security risk assessment, it’s all about precise profiling of a system under review. The system profile sets the boundaries of an assessment and the reviewer includes or excludes assets in the review based on their criticality and sensitivity and the business objective of an assessment. A poorly defined system profile will result in a poor quality risk assessment effort, and puts the system at unnecessary risk. A well defined system profile covers all the unacceptable risks to the system and hence is the precursor to a successful risk assessment.


In order to understand business and operational risks, before setting up the scope of an assessment the system under review needs to be profiled with the business owner or system custodian.  For an effective system profile, it is necessary to understand the objective of an assessment, needs driving the project and any inherent threats and weaknesses to the system. In a system profile the reviewer finds out all the main business functions performed by the system and its contribution to the key business objectives is determined. These business objectives will drive the data classification and system criticality of the system profile.  The business impact rating is determined based on financial, operational, technological and physical threats to the confidentiality, integrity and availability of the system


System Interdependencies and Interfaces:


System boundaries identify where one system begins and other one ends. Determining all the interfaces to other systems is an important part of profiling the system. An interface is a connection between two systems, so most systems have multiple interfaces. The reviewer needs to determine what kind of communication and authentication protocols are utilized in the interfaces and how often the passwords are changed on these interfaces. To cover all the related interdependencies of a system, all the relevant application, operating systems, hardware, communication protocol, network topology, dataflow architecture needs to be profiled.  All the applications and operating systems (current release, life cycle, patch cycle) authentication and authorization details need to be evaluated as well. (Who needs authorized access, how often, and are there any exceptions?)


The best way to gather relevant information for an accurate profile is to conduct on-site interviews with the business owner and relevant subject matter experts. In addition, questionnaires, document review and scanning tools can be utilized as well.  Based on the system criticality and data classification and all the other relevant threats to the system, the overall business risk to the system is determined which is based on a (high, medium and low) scale. A carefully done system profile is integral to a sound risk assessment and ensures a common understanding of the system under review. Several business functions can utilize this valuable data and valid security decisions can be made.


 Information Security Books


Internet Security



httpv://www.youtube.com/watch?v=np1kSQHH0uM




Tags: classification, criticality, current release, interdependencies, interfaces, life cycle, patch cycle, protocols, sensitivity, threats, valuable data