The Classification Conundrum #ISO27001

Classification Conundrum - ISO27001
An important step to effectively manage information security risks is identifying how many information Classifications you have. The ISO27001 standard supports through clause 8.2.1 “Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification”.  There is no standard answer to how many are needed. It is one of those it depends areas, but you need to avoid an approach that is too simple or too complex.

Too simple – having one Classification for data about the company and another for data about Clients. This is unlikely to work as a company typically has ‘restricted’ information (salaries, strategy, intellectual property etc.), ‘general’ information that can be widely shared internally and ‘public’ information that is shared externally (website content, press releases, social media posts etc.). Considering legal requirements such as the GDPR and Data Protection Act 2018 can help identify how many classifications are required.

Too complex – this can happen when there are multiple classifications for restricted company and/or client information. It may be the right approach, but test the reasoning by considering the impact to the Acceptable Use Policy and how easy it will be for staff to correctly classify new data. ISO27002 provides helpful details about Classifications and warns that “over-classification can lead to the implementation of unnecessary controls resulting in additional expense”.

It may take a few iterations to arrive at the Classifications that will work, and agreeing what to call them can take a considerable amount of effort and arguments! But it is better to get it right at the outset and avoid having to redo them later on, although this sometimes needs to happen if business requirements change.

And once Classification have been agreed you can apply them to labelling (ISO27001 Control 8.2.2) and handling (ISO27001 Control 8.2.3), including disposal (ISO27001 Controls 8.3.2 and 11.2.7).

If you need help with Classifications or with ISO27001, please get in touch.

e: ian.grey@wadiff-consulting.co.uk
t: +44 (0)7941 188462