Information classification of documents
Information classification is the link between document control and information security. Once documents are reliably identified and version-controlled, classification adds the next question: who is allowed to see this, and how should it be stored and shared?
Classification matters because most organisations hold a mix of information, ranging from material that can be shared freely with anyone (a published policy, a marketing brochure) to material that would cause real harm if it leaked (personal data, financial records, customer-confidential drawings, security passwords). Treating all of it the same way means either over-protecting public information or under-protecting confidential information. Neither is good practice.
When information classification is required
ISO 9001, ISO 14001, ISO 45001 and ISO 22301 do not specifically require information classification. They require documented information to be protected from loss of confidentiality, improper use or loss of integrity, but they leave it to the organisation to decide how to do that.
ISO 27001 is different. Annex A 5.12 Classification of Information and Annex A 5.13 Labelling of Information make classification a specific requirement. Any organisation working towards ISO 27001 certification will need a documented classification scheme, applied consistently across information assets.
UK GDPR does not require ISO-style information classification, but it does require organisations to apply appropriate technical and organisational measures to protect personal data. A classification scheme that flags personal data and triggers stricter access and storage controls is one of the simplest ways to demonstrate this.
For most other organisations, classification is optional but useful. Even where ISO 27001 is not in scope, having a documented scheme - and applying it - is an effective way to keep confidential information out of the wrong hands.
A practical three-tier scheme
The classification scheme used in the IMS1 manual works well for most small and medium organisations because it is short enough to apply consistently and detailed enough to drive different controls.
[Confidential] covers protected personal data and information that would cause harm if disclosed - HR files, customer personal data, commercial contracts, security configurations, password records. Confidential documents are stored securely, access is restricted to people with a specific need, and sharing is controlled.
[Business Use] is the default. Most internal company documents fall here - procedures, registers, internal reports, training materials. Access is restricted to staff and authorised third parties, but the controls are routine rather than heightened. The contents would not cause significant harm if seen by the wrong people, but there is no business reason to share them publicly.
[Public] covers documents that can be shared openly with anyone - published policies, marketing material, brochures, customer-facing handbooks. Sharing controls do not apply.
Three tiers is usually enough. Some organisations add a [Restricted] or [Highly Confidential] tier above Confidential for specific categories like financial records before publication or board papers. More than four tiers tends to lose its discipline - people stop being able to apply the distinctions consistently.
How to label documents
Classification only works if labels are visible. The standard pattern is to add the classification to the document footer, alongside the version number and date. A typical footer reads:
F-IMS20 Document Register [issue 1] [Information Classification: Business Use]
This pattern works because the label is on every page, the convention is the same across all documents, and the label is generated once when the document is created rather than added later.
For electronic-only documents that do not have a page footer (database records, intranet pages, application data), classification is usually applied through metadata - tags, properties or filename conventions. Folder-level classification is also acceptable where every document in a folder shares the same classification.
Storage and access controls by classification
Classification only adds value if it changes how documents are handled. Three controls usually scale with the classification level.
The first is access. Confidential documents typically live in folders with restricted permissions - HR can see HR files, finance can see finance, and access requires a specific business reason. Business-use documents are open to most staff but not external parties. Public documents have no access restrictions.
The second is sharing. Confidential documents are shared only via secure channels - encrypted email, password-protected files, secure file-transfer services. Business-use documents can be shared with authorised third parties under appropriate terms (NDAs for sensitive material). Public documents can be shared freely.
The third is storage media. Confidential documents are not held on personal devices, USB sticks or unsanctioned cloud services. Business-use documents are held on approved company systems. Public documents can be held anywhere.
The classification policy should set out these controls explicitly, so that staff know what each label actually requires of them.
Personal data and the link to UK GDPR
For organisations processing personal data, classification provides a useful overlay on top of UK GDPR controls. Documents containing personal data are classified as Confidential, which automatically triggers restricted access, secure sharing and approved storage. The classification scheme links to the Record of Processing Activities required under UK GDPR, which catalogues the personal data the organisation holds and the purposes for which it is processed.
Personal data classified as confidential should still be subject to the retention rules covered in records management - holding personal data without a lawful purpose is a breach regardless of how well it is classified.
Information assets and information security
Classification of documents is one part of a wider concept used in ISO 27001: information assets. An information asset is anything the organisation depends on to operate - documents, databases, software systems, hardware, intellectual property, supplier services. Classification can apply to all of these, not just documents.
Organisations working towards or maintaining ISO 27001 typically maintain an information assets register listing the information assets the organisation holds, who owns each one, what classification applies and what protection it has. Document control feeds into this register but is not the whole of it.
Three labels is enough for most companies. Confidential, Business Use, Public. Apply them in the document footer when the document is created, and they are there forever. The point of classification is to make decisions automatic - if a document is labelled Confidential, you do not have to think about whether to put it on a memory stick, you already know not to.
For ISO 27001 audits I check that the classification scheme is documented, that it is applied consistently, and that the controls match the labels. If a document is marked Confidential but it is sitting in an open share that anyone can access, the classification is decorative rather than functional. That gets a finding.
For other ISO standards I am not auditing classification specifically, but if the organisation has chosen to use a scheme I expect to see it applied properly. Half-applied schemes are worse than no scheme at all.
For organisations not pursuing ISO 27001, the question I usually get asked is whether classification is worth the effort. My answer is that it is worth it if the organisation handles meaningful amounts of personal data or commercially confidential information. Otherwise the same outcome can be reached with simple folder permissions and a clear policy.
The trap to avoid is introducing a classification scheme without changing how documents are actually handled. Labels in the footer that nobody acts on add no protection - they just create a paperwork burden.
Practical compliance guidance
IMS1 Section 1.5 Management of Documented Information and Data includes the three-tier classification scheme used across the integrated management system, and how the labels are applied in document footers.
The toolkit provides a classification policy and supporting guidance, plus the personal data and information assets registers that connect classification to UK GDPR and ISO 27001 requirements.
| alphaZ document | How to use it |
|---|---|
| ISO 27001 Toolkit | Full toolkit including the IMS1 manual and the supporting policies and registers needed for information classification under ISO 27001. |
| PP-8-12 Information Classification and Protection Policy | Policy and procedure setting out the classification scheme, labelling conventions and the controls that apply to each classification level. |
| GG-8-07 Information Classification and Protection Guidance | Plain-language guidance on applying the classification scheme day to day, with worked examples for typical document types. |
| P-31 Information Protection Policy | Wider information protection policy covering the controls applied to information assets at each classification level. |
| F-IMS25 Information Assets Register | Register of information assets with classification, ownership and protection details. Required for ISO 27001, useful for any organisation handling significant personal data. |
| F-IMS24 Personal Data Register | Record of personal data held by the organisation, the purpose, the lawful basis and retention. Supports both UK GDPR compliance and information classification. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation relevant to information classification
UK legislation does not mandate a specific classification scheme, but several laws require organisations to apply appropriate protection to personal data and confidential information. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.
