The basics
ISO 27001 control A.5.12 Classification of information requires companies to classify information according to information security needs and relevant business requirements, in order to distinguish information that is more sensitive from the information that is less sensitive.
Documentation
ISO 27001 control A.5.12 Classification of information can be documented by writing a Classification Policy.
This policy is not a mandatory document but is recommended for mid-sized and larger companies.
Implementation
In order to comply with control A.5.12 Classification of information you might implement the following:
- Technology — the technology to enable classification of information in most cases will be already available in the company. Companies of all sizes will probably be able to classify documents using office applications (e.g., text processors or spreadsheets), or classify data and applications using existing software.
- Organization/processes — you should set up a process for defining who is in charge of classifying the information, which classification scheme must be used, and which criteria must be used for the classification. You can document those processes through an Information Classification Policy.
- People — make employees aware of why information classification is needed, and train them on which classification scheme to use.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.5.12 Classification of information: if all the data, documents, and applications are classified according to your policies, procedures, or other internal rules.
