Skip to content
AuditFront
C1.1 SOC 2

SOC 2 C1.1: Confidentiality - Identification and Classification of Confidential Information

What This Control Requires

The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. Procedures are in place to identify confidential information as it is created or received and to classify it according to its sensitivity.

In Plain Language

You cannot protect what you haven't identified. This control is the foundation for every other confidentiality requirement - it ensures your organisation actually knows what sensitive data it holds, where it lives, and how sensitive it is. In practice, you need a data classification scheme defining different sensitivity levels (typically public, internal, confidential, and restricted), procedures for classifying information when it's created or received, an inventory of confidential information assets, and consistent classification labels applied across the organisation. Auditors evaluate whether you have a documented classification policy, whether people actually follow it, whether confidential information is identifiable through labelling or metadata, and whether you know where confidential data resides across your systems. Unclassified data that should be confidential is a red flag.

How to Implement

Create a data classification policy defining the levels your organisation uses. A common scheme: Public (unrestricted distribution), Internal (for internal use, low harm if disclosed), Confidential (could cause harm if disclosed), and Restricted (highly sensitive, requiring the strongest protections). Define clear criteria for each level with specific examples. Customer PII and financial data might be Confidential, while trade secrets and encryption keys are Restricted. Factor in regulatory requirements that mandate classification levels, such as HIPAA for health data or PCI DSS for payment card data. Run data discovery and inventory processes. Use automated discovery tools to scan databases, file systems, cloud storage, and applications for sensitive data. Build a data inventory documenting what confidential information exists, where it's stored, who owns it, and what classification applies. Keep the inventory current as new data sources appear. Implement data labelling practices. Apply classification labels through document headers and footers, metadata tags on files and database records, email classification markers, and visual indicators in applications displaying classified data. Automate labelling where possible using DLP and information protection tools. Train employees on the classification policy. Everyone should understand the levels, how to classify the information they handle, and the handling requirements for each level. Provide role-specific training for data owners and people who handle highly sensitive information. Review and update classifications periodically. Information sensitivity changes over time. Set up a process for reviewing and reclassifying information, especially when business relationships change, regulatory requirements evolve, or information reaches the end of its retention period.

Evidence Your Auditor Will Request

  • Data classification policy defining levels, criteria, and examples for each classification
  • Data discovery and inventory records showing where confidential information resides
  • Evidence of data labeling practices (document markings, metadata tags, system indicators)
  • Employee training records on data classification policy and handling requirements
  • Periodic classification review records showing updates to data inventory and classifications

Common Mistakes

  • Data classification policy exists but is not followed, with most data remaining unclassified
  • No data discovery or inventory process, leaving the organization unaware of all confidential data locations
  • Classification levels are defined but labeling mechanisms are not implemented in systems
  • Employees are not trained on how to classify the specific types of data they handle
  • Classification is performed at data creation but never reviewed, leading to stale or incorrect classifications

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.12 Equivalent
ISO 27001 A.5.13 Related
ISO 27001 A.5.9 Related
nist-csf PR.DS-09 Related

Frequently Asked Questions

How many classification levels should we have?
Three or four is the sweet spot. Two levels (just confidential and public) don't give you enough granularity. Five or more levels create confusion and inconsistent application. Most organisations land on Public, Internal, Confidential, and Restricted - but adapt the names and definitions to fit your context.
Who is responsible for classifying data?
The data owner - typically the business unit that creates or collects the data - assigns the initial classification. IT and security teams provide guidance and tooling. Everyone who handles data is responsible for following the handling rules for that classification level. The security team should audit classification practices and address inconsistencies.
How do we handle data that is confidential in one context but not another?
Classify based on the most sensitive context. If customer names are public on your website but confidential when combined with account details, classify the combined dataset at the higher level. Context-dependent classification needs clear guidance and training to keep things consistent.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment