1. Framework FAQs

ISO 27001: 2022 A.5.12 Classification of information

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.12 classification of information.

ISO 27001: 2022 Control Description

Information shall be classified according to the information security needs of the organisation based on confidentiality, integrity, availability  and relevant interested party requirements.

Purpose

The organisation should establish a topic-specific policy on information classification and communicate it to all relevant interested parties.

Guidance on implementation

The organisation should consider requirements for confidentiality, integrity, and availability in the classification scheme.

Classifications and associated protective controls for information should account for business needs for sharing or restricting information, protecting the integrity of information, and assuring availability, as well as legal requirements concerning the confidentiality, integrity, or availability of the information. Assets other than information can also be classified in line with the classification of information that is stored in, processed by, or otherwise handled or protected by the asset.

Owners of information should be accountable for their classification.

The classification scheme should include conventions for classification and criteria for reviewing the classification over time. Results of classification should be updated in accordance with changes in the value, sensitivity, and criticality of information throughout its life cycle.

The scheme should be aligned with the topic-specific policy on access control (see A.5.1) and should address the specific business needs of the organisation.

The classification can be determined by the level of impact that the information's compromise would have for the organisation. Each level defined in the scheme should be given a name that is meaningful in the context of the classification scheme’s application.

The scheme should be consistent across the whole organisation and included in its procedures so that everyone classifies information and applicable other associated assets in the same way. This ensures a common understanding of protection requirements and the application of appropriate protection measures.

The classification scheme used within the organisation can differ from those used by other organisations, even if the names for levels are similar. Additionally, information moving between organisations can vary in classification depending on its context in each organisation, even if their classification schemes are identical. Therefore, agreements with other organisations that involve information sharing should include procedures to identify the classification of that information and to interpret the classification levels from other organisations. Correspondence between different schemes can be determined by looking for equivalence in the associated handling and protection methods.

Classification provides individuals dealing with information with a clear indication of how to handle and protect it. Creating groups of information with similar protection needs and specifying information security procedures that apply to all information in each group facilitates this. This approach reduces the need for case-by-case risk assessment and custom design of controls.

Information can cease to be sensitive or critical after a certain period of time. For example, when information has been made public, it no longer has confidentiality requirements but may still require protection for its integrity and availability properties. These aspects should be considered, as over-classification can lead to the implementation of unnecessary controls resulting in additional expense, or conversely, under-classification can lead to insufficient controls to protect the information from compromise.

As an example, an information confidentiality classification scheme can be based on four levels as follows:

a) Disclosure causes no harm;

b) Disclosure causes minor reputational damage or minor operational impact;

c) Disclosure has a significant short-term impact on operations or business objectives;

d) Disclosure has a serious impact on long-term business objectives or jeopardises the survival of the organisation.