Classification of Information - ISO 27001 Annex A Control

ISO 27001 Annex A 5.12

Classification is the basis for everything else - protection follows the label.

ISO 27001 Annex A 5.12 - Classification of Information

Classification is what makes the rest of the controls workable. Without it, every piece of information has to be treated the same way, which means either over-protecting public information or under-protecting confidential information. With it, controls can be applied proportionately to the risk each type of information represents.

The classification scheme should be short enough to apply consistently and detailed enough to drive different controls. Most organisations work well with three or four tiers - typically Public, Business Use, Confidential and sometimes a higher tier for highly sensitive material. Each tier has a defined meaning and a clear set of handling rules attached to it.

Classification is not a one-off exercise. Information assets get reclassified when their context changes - a draft contract becomes Confidential before signing and might move to Business Use afterwards, or sensitive personal data might be subject to stricter controls than general staff information. The asset owner is responsible for keeping classification current.

The classification scheme has to be simple enough that staff can apply it without thinking too hard. Three tiers usually works. Five tiers in theory sound more accurate but in practice get applied inconsistently. Better a simple scheme that is followed than a complex one that is ignored.

Practical Compliance Guidance

Information classification arrangements are described in the IMS1 manual at section 8.5 alongside the topic-specific Information Classification and Protection Policy.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
GG-8-07 Information Classification and Protection	General guidance on the classification scheme, what each tier means, and the protection arrangements that go with it. Use this as the basis for awareness training.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

How many classification tiers do we need?

Three is usually enough for most organisations - a structure such as Public, Business Use and Confidential covers most needs. Some organisations add a higher Restricted tier for board papers or pre-publication financial data. More than four tiers tends to be applied inconsistently in practice.

Who decides the classification of an asset?

The asset owner. Classification is one of the responsibilities that comes with asset ownership under Annex A 5.9. Where the asset owner needs guidance, they should consult the Information Security Lead, but the accountability for getting the classification right sits with the owner.

What should the classification scheme cover beyond confidentiality?

The standard mentions confidentiality, integrity and availability all as factors. In practice most schemes are driven primarily by confidentiality - what would happen if this got out. Integrity and availability tend to be addressed through other controls such as backup and access control rather than the classification tier itself.

Further Resources