Classification of information is a process that enables organisations to group information assets into relevant categories depending on the level of protection each category of information should be provided.
Control 5.12 deals with implementation of a classification of information scheme based on confidentiality, integrity and availability requirements for information assets.
5.12 is a preventative control that identifies risks by enabling organisations to determine the level of protection for each information asset based on the information’s level of importance and sensitivity.
5.12 explicitly cautions organisations against over- or under-classification of information in the Supplementary Guidance. It states that organisations should take into account the confidentiality, availability and integrity requirements when they assign assets to relevant categories.
This ensures that classification scheme strikes an appropriate balance between business needs for information and the security requirements for each category of information.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Identify | #Information Protection | #Protection #Defence |
While there should be an organisation-wide classification of information schemes with classification levels and criteria for how to classify information assets, information asset owners are ultimately responsible for the implementation of a classification scheme.
5.12 explicitly recognizes that owners of the relevant information asset should be accountable.
For example, if the accounting department has access to the folders with payroll reports and bank statements, they should classify information based on the organisation-wide classification scheme.
When classifying information, the asset owner should take into account the business needs, level of impact the compromise of information would have on the organisation and the level of importance and sensitivity of information.
To implement a robust classification of information scheme, organisations should adopt a topic-specific approach, understand each business unit’s needs for information, and determine the level of sensitivity and criticality of information.
5.12 requires organisations to take into account the the following seven criteria when implementing a classification scheme:
5.12 explicitly refers to 5.1, Access control and requires organisations to adhere to topic-specific policies as described in the 5.1. In addition, the classification scheme and levels should take specific business needs into account.
If you assign an information asset to a classification category that is unnecessarily higher, this may bring the risk of disruption to your critical business functions by restricting access to and use of information.
Therefore, you should strive to find a balance between your specific business needs for availability and use of information and the requirements for confidentiality and integrity of that information.
Some laws may impose stricter obligations on you to ensure confidentiality, integrity and availability of information. When assigning information assets to categories, legal obligations should take priority over your own classification.
Each type of information has a different level of criticality to each business’s operations and has a different level of sensitivity depending on the context.
In implementing classification of information scheme, organisations should ask:
What impact would the compromise of integrity, availability and confidentiality of this information have on the organisation?
For instance, databases of professional email addresses of qualified leads and health records of employees widely differ in terms of the level of sensitivity and the potential impact.
5.12 notes that the value, criticality and sensitivity of information is not static and can change throughout the lifecycle of the information. Therefore, you need to regularly review each classification and make necessary updates.
As an example of such change, the 5.12 refers to the disclosure of information to the public, which greatly reduces the value and sensitivity of information.
There is no one way to classify information and each organisation can have different names, levels and criteria when it comes to classification of information schemes.
These differences may lead to risks when the two organisations exchange information assets with each other. Therefore, you need to put in place an agreement with your counterpart to ensure that there is consistency in classification of information and interpretation of classification levels.
Each department within the organisation should have a common understanding of classification levels and procedures so that classifications are consistent across the entire organisation.
While 5.12 recognises that there is no one-size-fits-all classification scheme and organisations have leeway in deciding and describing individual classification levels, it gives the following example as a information classification scheme:
a) Disclosure causes no harm;
b) Disclosure causes minor reputational damage or minor operational impact;
c) Disclosure has a significant short-term impact on operations or business objectives;
d) Disclosure has a serious impact on long term business objectives or puts the survival of the organisation at risk.
The Classification of Information was addressed in section 8.2.1 in the previous version.
While the two version are highly similar, there is two key differences:
In the old version, there was no explicit reference to the requirement for consistency of classification levels when information is transferred between organisations.
In the 2022 version, however, you need to put in place an agreement with your counterpart to ensure that there is consistency in classification of information and interpretation of classification levels.
Secondly, the new version explicitly requires organisations to put in place topic-specific policies. In the older version, in contrast, there was only a brief reference to the access control.
Our platform is intuitive and easy-to-use. It’s not just for highly technical people; it’s for everyone in your organisation. We encourage you to involve staff at all levels of your business in the process of building your ISMS, because that helps you to build a truly sustainable system.
Get in touch today to book a demo.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
