The New Standard in Information Classification – BS10010

Employee round-table discussion
Reading Time: 3 minutes

Earlier this month it was great to see the launch of a new British Standard’s Institute (BSI) standard to attempt to bring clarity to organisations who are planning to implement a data classification scheme. BS10010:2017 was hatched around 2 years ago, initiated by the lack of a corporate guidance on establishing a classification scheme – or Information Classification Marketing and Handling (ICMH) system as they call it.

The launch event was held at the CGI offices in London, and attended by a variety of security and information governance professionals. What was refreshing to hear from all the speakers – some of whom were directly involved in writing BS10010:2017 – was the focus on utilising data (or information) classification to improve security awareness and culture. Furthermore, it was reassuring to hear all the speakers talking about the importance of data classification as a foundational step in security, and the need to involve the user in the process of classification (and security). This is something Boldon James has been advocating for several years; placing the user front and centre of data security has been proven to improve security culture, awareness and reduce data breaches [link to Allianz CS].

To quote one speaker “The person who creates the information is the only person who can classify it”.

As part of the research, BSI conducted several surveys with members on their attitude towards data classification – with some interesting results:

  • 33% of organisations didn’t have an information classification scheme in place
  • 75% of organisations stated their information classification policy and systems are more than 5 years old so could be out of date
  • Only 6 % of respondents find their data information classification scheme easy to use
  • Only 1 in 4 reported their information classification scheme had equivalence with a partner scheme (i.e. schemes were translated between partners, so Partner A might have Restricted but Partner B might have Confidential but they have the same definition internally)
  • Automation toolsets were seen as complex and expensive

Some of the results mirror what we see in customer data classification projects, however some were rather surprising – such as the view that toolsets were seen as complex and expensive. There still appears to be a lack of awareness of the potential and value that a data classification toolset can bring to organisations. Enforcing policy consistently, accurately and cost effectively across any organisation, and within the supply chain, is the key to success for any data or information classification initiative. Whatever your policy structure or format, no matter how simple or complex, Boldon James Classifier is there to make implementation easy. With over 30 years’ experience in classifying and protecting sensitive data for organisations like the MoD, military units and intelligence services, you have peace of mind that you are partnering with the best of breed solution provider.

So what does this all mean for the average business?

For large organisations, they should already be advanced in their application of data classification policy and toolsets (although we know many are still in the dark ages). For small to medium enterprises (SMEs) the new BS10010:2017 standard at least provides a framework to help kick start a project – rather than having to initiate something from a blank canvas.

Having implemented data classification at over 400 organisations, a common challenge we encounter is that of getting consensus and buy-in on data classification policy across an organisation (this usually accounts for over 50% of a data classification project effort and time, the solution implementation in comparison is a small proportion of the project overall). Of course not everyone in the business has to be involved, focus should be on convincing a small number of key stakeholders.

This new standard gives organisations a practical reference point to initiate the conversation internally, and this has to be good news for security and business in general. A more standardised approach to data classification policy and implementation has been needed for many years now, and I applaud BSI (with support from CGI) for taking the reins and drafting BS10010. It might not be the finished article, but it is a great step in the right direction. Now we just need to get the international community to embrace an equivalent ISO standard…

For more information about how Boldon James Classifier helps to implement BS10010:2017 please click here.