Purpose of Control 5.12
5.12 is a preventative control that identifies risks by enabling organisations to determine the level of protection for each information asset based on the information’s level of importance and sensitivity.
5.12 explicitly cautions organisations against over- or under-classification of information in the Supplementary Guidance. It states that organisations should take into account the confidentiality, availability and integrity requirements when they assign assets to relevant categories.
This ensures that classification scheme strikes an appropriate balance between business needs for information and the security requirements for each category of information.
Attributes of Control 5.12
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality | #Identify | #Information Protection | #Protection |
| #Integrity | #Defence | |||
| #Availability |
Ownership of Control 5.12
While there should be an organisation-wide classification of information schemes with classification levels and criteria for how to classify information assets, information asset owners are ultimately responsible for the implementation of a classification scheme.
5.12 explicitly recognizes that owners of the relevant information asset should be accountable.
For example, if the accounting department has access to the folders with payroll reports and bank statements, they should classify information based on the organisation-wide classification scheme.
When classifying information, the asset owner should take into account the business needs, level of impact the compromise of information would have on the organisation and the level of importance and sensitivity of information.
Get an 81% headstart
We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.
General Guidance on Control 5.12
To implement a robust classification of information scheme, organisations should adopt a topic-specific approach, understand each business unit’s needs for information, and determine the level of sensitivity and criticality of information.
5.12 requires organisations to take into account the the following seven criteria when implementing a classification scheme:
- Establish a topic-specific policy and address the specific business needs
5.12 explicitly refers to 5.1, Access control and requires organisations to adhere to topic-specific policies as described in the 5.1. In addition, the classification scheme and levels should take specific business needs into account.
- Take into account business needs for sharing and use of information and the need for availability
If you assign an information asset to a classification category that is unnecessarily higher, this may bring the risk of disruption to your critical business functions by restricting access to and use of information.
Therefore, you should strive to find a balance between your specific business needs for availability and use of information and the requirements for confidentiality and integrity of that information.
- Consider legal obligations
Some laws may impose stricter obligations on you to ensure confidentiality, integrity and availability of information. When assigning information assets to categories, legal obligations should take priority over your own classification.
- Take a risk-based approach and consider the potential impact of a compromise
Each type of information has a different level of criticality to each business’s operations and has a different level of sensitivity depending on the context.
In implementing classification of information scheme, organisations should ask:
What impact would the compromise of integrity, availability and confidentiality of this information have on the organisation?
For instance, databases of professional email addresses of qualified leads and health records of employees widely differ in terms of the level of sensitivity and the potential impact.
- Regularly review and update the classification
5.12 notes that the value, criticality and sensitivity of information is not static and can change throughout the lifecycle of the information. Therefore, you need to regularly review each classification and make necessary updates.
As an example of such change, the 5.12 refers to the disclosure of information to the public, which greatly reduces the value and sensitivity of information.
- Consult with other organisations you share information with and address any differences
There is no one way to classify information and each organisation can have different names, levels and criteria when it comes to classification of information schemes.
These differences may lead to risks when the two organisations exchange information assets with each other. Therefore, you need to put in place an agreement with your counterpart to ensure that there is consistency in classification of information and interpretation of classification levels.
- Organisational-level consistency
Each department within the organisation should have a common understanding of classification levels and procedures so that classifications are consistent across the entire organisation.
Compliance doesn't have to be complicated.
We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.
Guidance on How to Implement Classification of Information Scheme
While 5.12 recognises that there is no one-size-fits-all classification scheme and organisations have leeway in deciding and describing individual classification levels, it gives the following example as a information classification scheme:
a) Disclosure causes no harm;
b) Disclosure causes minor reputational damage or minor operational impact;
c) Disclosure has a significant short-term impact on operations or business objectives;
d) Disclosure has a serious impact on long term business objectives or puts the survival of the organisation at risk.
Changes and Differences From ISO 27002:2013
The Classification of Information was addressed in section 8.2.1 in the previous version.
While the two version are highly similar, there is two key differences:
In the old version, there was no explicit reference to the requirement for consistency of classification levels when information is transferred between organisations.
In the 2022 version, however, you need to put in place an agreement with your counterpart to ensure that there is consistency in classification of information and interpretation of classification levels.
Secondly, the new version explicitly requires organisations to put in place topic-specific policies. In the older version, in contrast, there was only a brief reference to the access control.
New ISO 27002 Controls
New Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
Organisational Controls
People Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
Physical Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
Technological Controls
How ISMS.online Helps
Our platform is intuitive and easy-to-use. It’s not just for highly technical people; it’s for everyone in your organisation. We encourage you to involve staff at all levels of your business in the process of building your ISMS, because that helps you to build a truly sustainable system.
Get in touch today to book a demo.
Jump to topic
