Is Information Classification Relevant to ISO 27001 Certification?

Are you performing thorough research to understand the relationship between information classification and ISO 27001 Certification? Go through this article to learn the dynamic relationship between the two.

What is the information classification? It’s a process that assesses the data that an organization holds and the level of protection it requires. Most of the organizations classify their information in terms of confidentiality; for instance, who is granted access to view it. A system should include four levels of confidentiality; these levels are:

• Confidential (only senior management can get access to such information)

• Restricted (A large section of employees has access o this information)

• Internal (All employees have access to this information)

• Public (This information is open to all)

A large organization will have more complex levels in comparison to mid-level and small organizations. For instance, you can consider hospitals where doctors and nurses need access to patients’ medical histories. Medical histories are sensitive; therefore, others should not have access to this information. At the same time, it is also true that doctors and nurses should not have access to the financial records of the hospitals.

In such cases, it is important to create an individual level that is accountable only for some specific operations. Now you might be thinking what this all has to do with ISO 27001 certification. Let’s find out:

Since information has been classified into four categories, an organization needs to protect its confidential information. ISO 27001 standard helps an organization protect its confidential information.

There is a special section in ISO 27001 standard named “Information Classification”. This section states how to ensure the information safety that receives an accurate level of protection. This standard never explains how the organizations should implement it in an organization; however, the process is comparatively simple if you follow the steps discussed below:

In the initial step, you need to collate all of your information into an inventory or asset register. You need to clearly define who is responsible for managing this inventory and what is its format- electronic document, databases, paper documents, or storage media.

Next, you need to classify the information existing in your business management system. Your senior management should develop guidelines based on the results of the organization’s ISO 27001-risk assessment.

Information that would become vulnerable by risks should be generally given a higher level of confidentiality. You need to be always careful because every time it would not be the case. Organizations, which work with both public and private sectors, will usually benefit from two different classification schemes. This way, an organization can differentiate between the information that should and should not be shared with the third parties.

Once you are done with the classification, being the asset owner, you must develop a system for labeling it. You will require numerous processes for the information that is stored digitally and physically. However, it should be clear and consistent.

In this step, you need to set out guidelines on how to protect each information based on the classification and format of the information. For instance, you might say that internal paper should be placed in an unlocked cabinet so that all of your employees can access whereas the restricted documents should be placed in a locked cabinet and the confidential information should be kept in a secure place.

Apart from this, you will need to outline additional rules for data transition. You are allowed to keep track of all these rules by developing a table that can simplify the data handling.

Information classification is not dependant on the information security knowledge. However, you need to maintain a lot of interactions between the departments. Therefore, it is essential for you to create an information security policy. Make sure that everyone associated with information security management is well aware of the policy.

In this context, it is important to note that your policy must explain why information classification is important and how who is responsible for classification and who is going to deal with the handling aspects. It must include the levels of your classification as well as the types of information that belong to this category.

Damon Anderson is an ISO expert who has dealt with complex cases related to ISO 27001 certification, quality management system, occupational health, and safety management system, environmental management system and business management system. He is a regular blogger who uses blogging to share his ISO knowledge with his readers.

Report this Page