What is information classification and how is it relevant to ISO 27001?

Employee round-table discussion
Reading Time: < 1 minute

Information classification can be simply defined as the process of assigning an appropriate level of classification to an information asset to ensure it receives an adequate level of protection.

Why is information classification relevant to ISO 27001?

Information classification is a key part of any ISO 27001 project. In the standard, control objective A7.2 is titled ‘Information Classification’. The objective of this control is “to ensure that information receives an appropriate level of protection”. The way that organisations go about implementing this control is by developing a set of information classification guidelines that detail how information should be classified using labelling or marking and deciding how this information should be handled once it is classified.

For example, an organisation may choose to have three or four levels of classification, such as Restricted, Confidential and Public. They will then provide examples for each of these in their classification guidelines and detail what measures should be in place before any information crosses the organisation’s boundaries.

How can information classification be made simple?

Some organisations choose simply to add classifications to Microsoft Word or other electronic documents manually, but this is prone to human error. Others have old-fashioned stamps to apply classifications to each physical document. And again, this is prone to human error.

The simple answer is through an information classification software solution such as Boldon James Classifier. If you want to ensure your information is classified in the right way and that your classification guidelines are enforced, Classifier is the solution you need.

For more on implementing ISO27001, visit the IT Governance website