The world of global commerce is filled with all manner of information types – from mundane, publicly available datasets, to highly sensitive PII records that contais financial information and copies of governmental ID.
Organisations need to have a firm understanding of the different categories of data that they store, process and transfer, and adjust their operation to accommodate information based on its purpose and risk type.
Once the organisation is able to distinguish between various data types – especially in the case of PII – they should then be able to clearly label such information in a way that makes different categories distinct from one another, and account for varying risk levels in how privacy-related assets are processes and handled throughout the organisation.
ISO 27701 Clause 6.5.2 contains three sub-clauses that contain everything an organisation needs to know on how to classify, label and handle PII.
All three sub-clauses contain information garnered from ISO 27002, but with a specific focus on PII and privacy protection:
Sub-clauses 6.5.2.1 and 6.5.2.2 both contain guidance that is relevant to UK GDPR legislation, and the relevant articles have been listed for your convenience.
Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.
Rather than put all information held on an equal footing, organisation’s should classify information on a topic-specific basis.
Information owners should consider four key factors, when classifying data (especially regarding PII), which should be reviewed periodically, or when such factors change:
To provide a clear operational framework, information categories should be named in accordance with the inherent risk level, should any incidents occur that compromise any of the above factors.
To ensure cross-platform compatibility, organisations should make their information categories available to any external personnel who they share information with, and ensure that the organisation’s own classification scheme is widely understood by all relevant parties.
Organisation’s should be wary of either under-classifying or, conversely, over-classifying data. The former can lead to mistakes in grouping PII in with less-sensitive data types, whilst the former often leads to added expense, a greater chance of human error and processing anomalies.
Labels are a key part of ensuring that the organisation’s PII classification policy (see above) is being adhered to, and that data is able to be clearly identified in line with its sensitivity (e.g. PII being labelled as distinct from less confidential data types).
PII labelling procedures should define:
ISO provides plenty of scope for organisations to choose their own labelling techniques, including:
Organisation’s should develop a bank of topic-specific acceptable use policies, that covers off the handling of PII-related assets and information.
Any group or individual – either internal or external – who has the ability to handle PII on behalf of the organisation, or as part of an information sharing agreement, should understand their responsibilities and what’s expected of them.
Topic-specific policies should clearly define:
Processes and procedures should be implemented that take into consideration:
ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Control | Associated GDPR Articles |
---|---|---|---|
6.5.2.1 | Classification of Information | 5.12 – Classification of Information for ISO 27002 | Articles (5), (32) |
6.5.2.2 | Labelling of Information | 5.13 – Labelling of Information for ISO 27002 | Article (5) |
6.5.2.3 | Handling of Assets | 5.10 – Acceptable Use of Information & Other Associated Assets for ISO 27002 | None |
The ISMS.online platform has built-in guidance at each stage, in addition to our ‘Adopt, Adapt, Add’ implementation approach, to help you achieve ISO 27701 with less effort.
Additionally, you will benefit from a variety of time-saving features.
Find out more by booking a demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo
We can’t think of any company whose service can hold a candle to ISMS.online.