The compliance world is just getting its metaphorical teeth into the latest 2013 revision of ISO/IEC 27001 and chewing through the changes and updates to the 2005 fare. To us at Boldon James, the key ideas remain in relation to data classification, namely: “To ensure that information receives an appropriate level of protection in accordance with its importance to the organisation”, and “An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organisation.”
These controls explicitly support some of our passionately-held beliefs about data classification, namely that the creators of files and emails are the people best placed to classify the content they are creating and that an organisation’s own security policy should relate directly to the level and types of information that move around the business, both internally and externally.
The requirement to identify owners, classifications and restrictions is an explicit provision of the ISO 27001 standard. This relates to the planning, preparation and creation of metadata whenever files, messages or other data are created. It also makes it quite difficult to be fully compliant without data classification labelling – whilst this could be a manual process (i.e. left to employees to type the right label in the right place with the right spelling!) – in today’s world, it opens organisations up to a huge amount of error and inconsistency.
Every month I end up in conversations with clients about why labelling email will itself not ensure compliance with ISO 27001, although it is certainly best practice. As highlighted by fines imposed by the UK Information Commissioner’s Office in the last fortnight, classifying an email does not prevent a user attaching a more sensitive file to it. However, if that file is also classified, a solution such as Boldon James Classifier could propagate the file’s label through to the email and the email’s label would be upgraded to reflect the more sensitive attachment.
So if ISO/IEC 27001 for 2013 seems a little indigestible, one easy step to take to help you achieve this is to look to simple automated technology that helps prevent both reputational and actual loss to an organisation.