Information classification is a process in which organisations assess the data that they hold and the level of protection it should be given.
Organisations usually classify information in terms of confidentiality â i.e. who is granted access to view it. A typical system contains four levels of confidentiality:
- Confidential (only senior management have access)
- Restricted (most employees have access)
- Internal (all employees have access)
- Public information (everyone has access)
As you might expect, larger and more complex organisations will need more levels, with each one accounting for specific groups of employees who need access to certain information.
The levels shouldnât be based on employeesâ seniority but on the information thatâs necessary to perform certain job functions.
Take the healthcare sector for example. Doctors and nurses need access to patientsâ personal data, including their medical histories, which is highly sensitive.
However, they shouldnât have access to other types of sensitive information, such as financial records.
In these cases, a separate classification should be created to distinguish between sensitive medical information and sensitive administrative information.
Where does ISO 27001 fit in?
Organizations that are serious about data protection should follow ISO 27001.
The Standard describes best practices for creating and maintaining an ISMS (information security management system), and the classification of information plays a crucial role.
Control objective A.8.2 is titled âInformation Classificationâ, and instructs that organisations âensure that information receives an appropriate level of protectionâ.
ISO 27001 doesnât explain how you should do that, but the process is straightforward. You just need to follow four simple steps.
1) Enter your assets into an inventory
The first step is to collate all your information into an inventory (or asset register).
You should also note who is responsible for it (who owns it) and what format itâs in (electronic documents, databases, paper documents, storage media, etc.).
2) Classification
Next, you need to classify the information.
Asset owners are responsible for this, but itâs a good idea for senior management to provide guidelines based on the results of the organization’s ISO 27001 risk assessment.
Information that would be affected by more significant risks should usually be given a higher level of confidentiality. But be careful, because this isnât always the case.
There will be instances where sensitive information must be made available to a broader set of employees for them to do their job. The information may well pose a threat if itâs confidentiality is compromised, but the organisation must make it widely available in order to function.
3) Labelling
Once youâve classified your information, the asset owner must create a system for labelling it.
Youâll need different processes for information thatâs stored digitally and physically, but it should be consistent and clear.
For example, you might decide that paper documents will be labelled on the cover page, the top-right corner of each subsequent page and the folder containing the document.
For digital files, you might list the classification in a column on your databases, on the front page of the document and the header of each subsequent page.
4) Handling
Finally, you must establish rules for how to protect each information asset based on its classification and format.
For example, you might say that internal paper documents can be kept in an unlocked cabinet that all employees can access.
By contrast, restricted information should be placed in a locked cabinet, and confidential information stored in a secure location.
Additional rules should be established for data in transit â whether itâs being posted, emailed or employees carry it with them.
You can keep track of all these rules by using a table like this:
Use a table to simplify the data handling documentation process.
Source: What is ISO 27001 Information Classification
Introduction to Cataloging and Classification
