Show me desktop version
CALL US +1 (646) 759 9933

The ISO 27001 & ISO 22301 Blog

Information classification according to ISO 27001

Classification of information is certainly one of the most attractive parts of information security management, but at the same time, one of the most misunderstood. This is probably due to the fact that historically, information classification was the first element of information security that was being managed – long before the first computer was built, governments, military, but also corporations labeled their information as confidential. However, the process on how it worked remained somewhat a mystery.

So in this article I’ll give you an outline of how information classification works, and how to make it compliant with ISO 27001, the leading information security standard. Although classification can be made according to other criteria, I’m going to speak about classification in terms of confidentiality, because this is the most common type of information classification.

The four-step process for managing classified information

Good practice says that classification should be done via the following process:


This means that: (1) the information should be entered in the Inventory of Assets (control A.8.1.1 of ISO 27001), (2) it should be classified (A.8.2.1), (3) then it should be labeled (A.8.2.2), and finally (4) it should be handled in a secure way (A.8.2.3).

In most cases, companies will develop an Information Classification Policy, which should describe all these four steps – see the text below for each of these steps.

Asset inventory (Asset register)

The point of developing an asset inventory is that you know which classified information you have in your possession, and who is responsible for it (i.e., who is the owner).

Classified information can be in different forms and types of media, e.g.:

  • electronic documents
  • information systems / databases
  • paper documents
  • storage media (e.g., disks, memory cards, etc.)
  • information transmitted verbally
  • email

Classification of information

ISO 27001 does not prescribe the levels of classification – this is something you should develop on your own, based on what is common in your country or in your industry. The bigger and more complex your organization is, the more levels of confidentiality you will have – for example, for a mid-size organization you may use this kind of information classification levels with three confidential levels and one public level:

  • Confidential (top confidentiality level)
  • Restricted (medium confidentiality level)
  • Internal use (lowest level of confidentiality)
  • Public (everyone can see the information)

In most cases, the asset owner is responsible for classifying the information – and this is usually done based on the results of the risk assessment: the higher the value of information (the higher the consequence of breaching the confidentiality), the higher the classification level should be. (See also ISO 27001 risk assessment & treatment – 6 basic steps.)

Very often, a company may have two different classification schemes in place if it works both with the government and with a private sector. For example, NATO requires the following classification with four confidential levels and two public levels:

  • Cosmic Top Secret
  • NATO Secret
  • NATO Confidential
  • NATO Restricted
  • NATO Unclassified (copyright)

Information labeling

Once you classify the information, then you need to label it appropriately – you should develop the guidelines for each type of information asset on how it needs to be classified – again, ISO 27001 is not prescriptive here, so you can develop your own rules.

For example, you could set the rules for paper documents such that the confidentiality level is to be indicated in the top right corner of each document page, and that it is also to be indicated on the front of the cover or envelope carrying such a document, as well as on the filing folder in which the document is stored.

Labeling of information is usually the responsibility of the asset owner.

Handling of assets

This is usually the most complex part of the classification process – you should develop rules on how to protect each type of asset depending on the level of confidentiality. For example, you could use a table in which you must define the rules for each level of confidentiality for each type of media, e.g.:


So in this table, you can define that paper documents classified as Restricted should be locked in a cabinet, documents may be transferred within and outside the organization only in a closed envelope, and if sent outside the organization, the document must be mailed with a return receipt service.

As before, ISO 27001 allows you freedom to set your own rules, and this is usually defined via the Information classification policy, or the Classification procedures.

So, as you can see, the classification process might be complex, but it does not have to be incomprehensible – ISO 27001 actually allows you great freedom, and you should definitely take advantage of it: make the process both adapted to your special needs, but at the same time secure enough so that you can be sure your sensitive information is protected.

Click here to see a free preview of  Information Classification Policy.

13 responses to “Information classification according to ISO 27001”

  1. miko says:

    Hi, Dejan,
    For new version stated that we need to identify risk owner instead of asset owner. so it means it could happen one asset having few no of the risk owner ?

  2. Manjunath A T says:

    Dear Mr. Dejan, in case of implementing controls on identified risks for a particular asset by the ‘Risk Owner’, it is required to consult the ‘Asset Owner’? If so, what is the role of ‘Asset Owner’ during implementation? Please clarify. Thanks.

  3. I helped to re-architect an ambitious software project involving integrating multiple standards, including most of the above (missing adequate risk-treatment plan). ISO standards are obviously very important for the large businesses, but what about small-businesses? These smaller players often see ISO standards as just another cost, unless they form a statuatory or industry-wide requirement. Worse still many have 27k certification, despite having horrendous information security. How would you propose we tackle problems such as these?

  4. raaju says:

    Dear Mr. Dejan, “Risk and opportunities should be identified from issues and expectations. and records should be maintained ” This is the comment from auditor.what does it means..

  5. Garry says:

    Hi Dejan,
    For new standard, how to capture Opportunities and what kind of metrics is standard looking out for

  6. Krishna Raj says:

    Dear All,

    Can anybody help me out on how to identify the immediate threats or the currents threats for all the assets(IT, HR, Admin, and Projects) in an organization that are classified in the Risk Assessments

  7. Krishna Raj says:

    Dear Antonio Segovia,

    Thanks for your timely help.

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Exemplar Global (formerly RABQSA) is leading international authority in certification of training providers.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.
Request callback
Request callback

Or call us directly

International calls
+1 (646) 759 9933