Information Classification Procedure
ISO/IEC 27001 Toolkit Version 7 ©CertiKit 2016
Information Classification Procedure [Insert Classification]
Implementation Guidance (The header page and this section must be removed from final version of the document)
Purpose of this document This document defines a way of classifying information so that the correct level of protection can be applied to it.
Areas of the standard addressed The following areas of the ISO/IEC 27001:2013 standard are addressed by this document: Annex A A.8 Asset management A 8.2 Information classification A 8.2.1 Classification of information
General Guidance The standard does not dictate how you should classify your information and some thought should be put into which scheme would best suit your organization and the types of information you hold. The important thing is to be clear about what level of protection each classification requires and that all staff are aware of this.
Review Frequency We would recommend that this document is reviewed annually.
Toolkit Version Number ISO/IEC 27001 Toolkit Version 7 ©CertiKit 2016.
Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File
Version 1
Page 1 of 11
[Insert date]
Information Classification Procedure [Insert Classification]
> Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select, Select All on the ribbon) 3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions within the Project Resources folder.
Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a trading name of Public I.T. Limited, a company registered in England and Wales with company number 6432088 and registered office at 5 Falcons Rise, Belper, Derbyshire, DE56 0QN.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your
Version 1
Page 2 of 11
[Insert date]
Information Classification Procedure [Insert Classification]
country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 3 of 11
[Insert date]
Information Classification Procedure [Insert Classification]
[Replace with your logo]
Information Classification Procedure
Document Classification: Document Ref. Version: Dated: Document Author: Document Owner:
Version 1
Page 4 of 11
[Insert Classification] ISMS-DOC-A08-2 1 [Insert date]
[Insert date]
Information Classification Procedure [Insert Classification]
Revision History Version Date
Revision Author
Summary of Changes
Distribution Name
Title
Approval Name
Version 1
Position
Signature
Page 5 of 11
Date
[Insert date]
Information Classification Procedure [Insert Classification]
Contents 1
INTRODUCTION ....................................................................................................................................... 7
3
INFORMATION CLASSIFICATION PROCEDURE............................................................................ 8 3.1 CLASSIFICATION SCHEME ......................................................................................................................... 8 3.1.1 Public / Unclassified Information Assets ........................................................................................ 8 3.1.2 Protected Information Assets .......................................................................................................... 9 3.1.3 Restricted Information Assets ......................................................................................................... 9 3.1.4 Confidential Information Assets ................................................................................................... 10 3.2 DECIDING THE CORRECT CLASSIFICATION .............................................................................................. 10
Version 1
Page 6 of 11
[Insert date]
Information Classification Procedure [Insert Classification]
1 Introduction Information can take many forms including, but not limited to, the following:
Hard copy data held on paper Data stored electronically in computer systems Communications sent by physical post or using email Data stored using electronic media such as USB drives, disks and tapes
Personal information is any information about any living, identifiable individual. The organization is legally responsible for this and its storage, protection and use are governed by national and international law. Details of specific requirements for personal information can be found in the Legal Responsibilities Policy. The organization maintains inventories of all important information assets upon which it relies. However [Organization Name] recognises that there are risks associated with employees, customers, contractors and other third parties accessing and handling information in order to conduct official organization business. [Organization Name] has a responsibility to protect the information it holds and processes using controls appropriate to the sensitivity of the information involved. Only by classifying information according to a documented scheme can the correct level of protection be applied. This procedure sets out the details of the scheme to be adopted and the criteria applied in deciding which level of protection to apply to any given information asset. This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems. The following policies and procedures are relevant to this document:
Information Asset Inventory Information Security Labelling Procedure Access Control Policy Privacy and Personal Data Protection Policy
Version 1
Page 7 of 11
[Insert date]
Information Classification Procedure [Insert Classification]
3 Information Classification Procedure On creation, all information assets must be assessed and classified by the owner according to their content. The classification will determine how the document should be protected and who should be allowed access to it. Any system subsequently allowing access to this information should clearly indicate the classification. 3.1
Classification Scheme
The [Organization Name] information classification scheme requires information assets to be protectively marked into one of 3 classifications (excluding Public information which does not need to be marked). The way the document is handled, published, moved and stored will be dependent on this scheme. The classes of information are:
Level 0 - Public (or unclassified) Level 1 - Protected Level 2 - Restricted Level 3 - Confidential
[Please note that more or fewer levels of classification may be used according to requirements and that the name of each classification can be varied also as these details are not stipulated in the ISO/IEC 27001-2013 standard] The definitions of these classes of information are described in further detail below. The decision regarding which classification an information asset should fall into is based on the following main criteria: 1. 2. 3. 4.
Legal requirements that must be complied with Value to the organization Criticality to the organization Sensitivity to unauthorised disclosure or modification
These areas are considered in the definitions below. 3.1.1
Public / Unclassified Information Assets
Much of the information held by the organization is freely available to the public via established publication methods. Such items of information have no classification and will not be assigned a formal owner or inventoried. It may be necessary however to maintain an awareness of the information that falls within this classification over time as circumstances may change and a need to provide increased protection of previously public information assets may arise.
Version 1
Page 8 of 11
[Insert date]
Information Classification Procedure [Insert Classification]
3.1.2
Protected Information Assets
For information that is not published freely by the organization, some of this may be classified as Protected. This is typically information which is relatively private in nature, either to an individual or to the organization and, whilst its loss or disclosure is unlikely to result in significant consequences, it would be undesirable. [Give examples according to the type of organization e.g. invoices, expense claims] The criteria for assessing whether information would be classified as Protected include whether its unauthorised disclosure would:
cause distress to individuals breach proper undertakings to maintain the confidence of information provided by third parties breach statutory restrictions on the disclosure of information cause financial loss or loss of earning potential, or to facilitate improper gain give an unfair advantage to individuals or companies prejudice the investigation or facilitate the commission of crime disadvantage the organization in commercial or policy negotiations with others
Most employees of the organization are likely to handle “Protected” information during the course of their working day. 3.1.3
Restricted Information Assets
The level above Protected is that of Restricted. This information would be more serious if it were disclosed to unauthorised persons and result in significant embarrassment to the organization and possibly legal consequences. [Give examples according to the type of organization e.g. customer lists, credit history] The criteria for assessing whether information would be classified as Restricted include whether its unauthorised disclosure would:
affect relations with other organizations adversely cause substantial distress to individuals cause financial loss or loss of earning potential or to facilitate improper gain or advantage for individuals or companies prejudice the investigation or facilitate the commission of crime breach proper undertakings to maintain the confidence of information provided by third parties impede the effective development or operation of organizational policies breach statutory restrictions on disclosure of information disadvantage the organization in commercial or policy negotiations with others undermine the proper management of the organization and its operations
Version 1
Page 9 of 11
[Insert date]
Information Classification Procedure [Insert Classification]
Information falling into the classification of “Restricted” will typically be handled by middle management and above, with some employees of lower clearance being given access only in specific circumstances. 3.1.4
Confidential Information Assets
The highest level of classification is that of Confidential. This is reserved for information which is highly sensitive and would cause major reputation and financial loss if it were lost or wrongly disclosed. [Give examples according to the type of organization e.g. financial results prior to announcement, pre-launch product information] The criteria for assessing whether information would be classified as Confidential include whether its unauthorised disclosure would:
materially damage relations with other organizations (i.e. cause formal protest or other sanction); prejudice individual security or liberty; cause damage to the operational effectiveness or security of the organization work substantially against organizational finances or economic and commercial interests; substantially undermine the financial viability of major organizations; impede the investigation or facilitate the commission of serious crime; impede seriously the development or operation of organizational policies; shut down or otherwise substantially disrupt significant business operations.
Access to information assets defined as “Confidential” will be tightly controlled by senior management and in many cases numbered copies of documents will be distributed according to specific procedures.
3.2
Deciding the Correct Classification
When deciding which classification to use for an information asset, it is recommended that an assessment is conducted to consider the likely impact if the asset were to be compromised. The criteria given in section 3 should be used for this purpose. A correct classification will ensure that only genuinely sensitive information is subject to additional controls. The following points should be considered when assessing the classification to use:
Applying too high a classification can inhibit access, lead to unnecessary and expensive protective controls, and impair the efficiency of the organization's business.
Version 1
Page 10 of 11
[Insert date]
Information Classification Procedure [Insert Classification]
 

Applying too low a classification may lead to damaging consequences and compromise of the asset. The compromise of larger sets of information of the same classification is likely to have a higher impact (particularly in relation to personal data) than that of a single instance. Generally this will not result in a higher classification but may require additional handling arrangements. However, if the accumulation of that data results in a more sensitive asset being created, then a higher classification should be considered. The sensitivity of an asset may change over time and it may be necessary to reclassify assets. If a document is being de-classified or the marking changed, the file should also be changed to reflect the highest marking within it.
Please see Information Labelling Procedure for details of how information of the various classifications will be managed.
Version 1
Page 11 of 11
[Insert date]