ISO 27701, Clause 6.5.2 – Information Classification

ISO 27701 Controls and Clauses Explained

Book a demo

close,up,of,unrecognizable,woman's,hands,with,dark,nailpolish,using

The world of global commerce is filled with all manner of information types – from mundane, publicly available datasets, to highly sensitive PII records that contais financial information and copies of governmental ID.

Organisations need to have a firm understanding of the different categories of data that they store, process and transfer, and adjust their operation to accommodate information based on its purpose and risk type.

Once the organisation is able to distinguish between various data types – especially in the case of PII – they should then be able to clearly label such information in a way that makes different categories distinct from one another, and account for varying risk levels in how privacy-related assets are processes and handled throughout the organisation.

What’s Covered in ISO 27701 Clause 6.5.2

ISO 27701 Clause 6.5.2 contains three sub-clauses that contain everything an organisation needs to know on how to classify, label and handle PII.

All three sub-clauses contain information garnered from ISO 27002, but with a specific focus on PII and privacy protection:

  • ISO 27701 6.5.2.1 – Classification of information (References ISO 27002 Control 5.12)
  • ISO 27701 6.5.2.2 – Labelling of information (References ISO 27002 Control 5.13)
  • ISO 27701 6.5.2.3 – Handling of assets (References ISO 27002 Control 5.10)

Sub-clauses 6.5.2.1 and 6.5.2.2 both contain guidance that is relevant to UK GDPR legislation, and the relevant articles have been listed for your convenience.

Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.

Achieve ISO 27701 Success

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 6.5.2.1 – Classification of Information

References ISO 27002 Control 5.12

Rather than put all information held on an equal footing, organisation’s should classify information on a topic-specific basis.

Information owners should consider four key factors, when classifying data (especially regarding PII), which should be reviewed periodically, or when such factors change:

  1. The confidentiality of the data.
  2. The integrity of the data.
  3. Data availability levels.
  4. The organisation’s legal obligations towards PII.

To provide a clear operational framework, information categories should be named in accordance with the inherent risk level, should any incidents occur that compromise any of the above factors.

To ensure cross-platform compatibility, organisations should make their information categories available to any external personnel who they share information with, and ensure that the organisation’s own classification scheme is widely understood by all relevant parties.

Organisation’s should be wary of either under-classifying or, conversely, over-classifying data. The former can lead to mistakes in grouping PII in with less-sensitive data types, whilst the former often leads to added expense, a greater chance of human error and processing anomalies.

Applicable GDPR Articles

  • Article 5 – (1)(f), (32)(2)

ISO 27701 Clause 6.5.2.2 – Labelling of Information

References ISO 27002 Control 5.13

Labels are a key part of ensuring that the organisation’s PII classification policy (see above) is being adhered to, and that data is able to be clearly identified in line with its sensitivity (e.g. PII being labelled as distinct from less confidential data types).

PII labelling procedures should define:

  • Any scenario where labelling is not required (publicly available data).
  • Instructions on how personnel should be labelling both digital and physical assets and storage locations.
  • Contingency plans for any scenario where labelling isn’t physically possible.

ISO provides plenty of scope for organisations to choose their own labelling techniques, including:

  1. Physical labelling.
  2. Electronic labels in headers and footers.
  3. The addition or amendment of metadata, including searchable terms and interactive functionality with other information management platforms (e.g. the organisation’s PIMS).
  4. Watermarking that provides a clear indication of the data classification on a document-by-document basis.
  5. Stamp marks on physical copies of information.

Applicable GDPR Articles

  • Article 5 – (1)(f)

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how easy ISO 27701 is with ISMS.online
Get your quote

ISO 27701 Clause 6.5.2.3 – Handling of Assets

References ISO 27002 Control 5.10

Organisation’s should develop a bank of topic-specific acceptable use policies, that covers off the handling of PII-related assets and information.

Any group or individual – either internal or external – who has the ability to handle PII on behalf of the organisation, or as part of an information sharing agreement, should understand their responsibilities and what’s expected of them.

Topic-specific policies should clearly define:

  1. Acceptable and unacceptable behaviour, in the context of privacy protection.
  2. How and where PII is permitted to be used.
  3. The details of the organisation’s PII monitoring operation.

Processes and procedures should be implemented that take into consideration:

  • RBAC requirements (or any form of digital and/or physical access control) that protects access to PII.
  • A thorough record of who is permitted to access PII and privacy-related assets and information.
  • How to protect both temporary and permanent copies of privacy-related information.
  • Manufacturers guidelines, when storing privacy-related assets (see ISO 27002 7.8).
  • How storage media is marked for the attention of the recipient (see ISO 27002 7.10).
  • How PII and privacy-related assets are to be either deleted, or permanently destroyed (see ISO 27002 8.10).

Relevant ISO 27002 Controls

  • ISO 27002 7.8
  • ISO 27002 7.10
  • ISO 27002 8.10

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27002 ControlAssociated GDPR Articles
6.5.2.1Classification of Information5.12 – Classification of Information for ISO 27002Articles (5), (32)
6.5.2.2Labelling of Information5.13 – Labelling of Information for ISO 27002Article (5)
6.5.2.3Handling of Assets5.10 – Acceptable Use of Information & Other Associated Assets for ISO 27002None

How ISMS.online Helps

The ISMS.online platform has built-in guidance at each stage, in addition to our ‘Adopt, Adapt, Add’ implementation approach, to help you achieve ISO 27701 with less effort.

Additionally, you will benefit from a variety of time-saving features.

Find out more by booking a demo.

See our platform
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

Streamline your workflow with our new Jira integration! Learn more here.