Skip to content
AuditFront
A.5.12 ISO 27001

ISO 27001 A.5.12: Classification of information

What This Control Requires

Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.

In Plain Language

Not all information deserves the same level of protection. A public blog post and a customer database are fundamentally different things, and your security controls should reflect that. Classification gives you a structured way to decide what protection each piece of information needs. A typical scheme uses three or four levels - something like Public, Internal, Confidential, and Restricted. Each level comes with defined handling requirements covering how the information is created, stored, transmitted, and disposed of. The classification should factor in legal requirements (personal data, for instance), contractual obligations, business impact of disclosure, and the information's value. The information owner or creator assigns the initial classification. Over time it may change as sensitivity or value evolves. Everyone who handles information needs to understand the scheme and how to apply it correctly - a classification system that nobody uses is worse than not having one at all.

How to Implement

Design a classification scheme that is simple enough for everyone to use. Three to four levels works for most organisations. A common approach: Public (intended for external sharing), Internal (general business information), Confidential (disclosure would harm the organisation), and Restricted (needs the strictest protection). For each level, define clear criteria so information owners can make the right call. Address legal and regulatory sensitivity, financial impact of disclosure, reputational damage, contractual obligations, and operational impact. Include concrete examples for each level - people learn better from examples than abstract definitions. Spell out handling requirements for each level across the full lifecycle: creation and labelling, storage (encryption needs, physical security), transmission (encryption in transit, approved channels), sharing (who can access, what approvals are needed), copying restrictions, and disposal (secure deletion or destruction). Train everyone on the scheme, how to apply it, and what the handling requirements mean in practice. Quick reference guides and decision trees help people make the right classification call without having to re-read the full policy every time. Back it up with technology where you can. DLP tools can detect and protect classified information. Information rights management can enforce access controls on classified documents. Automated classification tools can help with consistency at scale. Review the scheme regularly as business needs and regulations evolve.

Evidence Your Auditor Will Request

  • Documented information classification scheme with defined levels and criteria
  • Classification handling requirements for each level across the information lifecycle
  • Evidence of classification training and awareness for personnel
  • Samples of classified information showing correct labeling and handling
  • Records of classification reviews and updates

Common Mistakes

  • Classification scheme is too complex with too many levels, leading to inconsistent application
  • Information owners do not understand their responsibility to classify information
  • Classification labels are not applied to documents, emails, and data stores
  • Handling requirements for each level are not defined or not followed in practice
  • No process for reclassification when information sensitivity changes over time

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 CC6.1 Partial overlap
GDPR Art.9 Partial overlap
GDPR Art.32 Related
NIS2 Art.21(2)(a) Partial overlap

Frequently Asked Questions

How many classification levels should we have?
Three to four is the sweet spot for most organisations. More than that and people get confused, leading to inconsistent application. A typical scheme uses Public, Internal, Confidential, and Restricted. The test is simple: if two levels would have identical handling requirements, merge them. Every level needs to mean something different in practice.
Who is responsible for classifying information?
The information owner or creator handles the initial classification. Business unit leaders typically set the classification policy for their domain, and individuals creating information apply it. When in doubt, classify higher until someone with the right context can review it. Automated tools can help with consistency at scale, but you still need human judgement for context.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment