ISO 27001:2022 Annex A Control 5.12: Classification of Information

Classifying information is a fundamental process that allows organisations to group their assets into relevant categories based on their level of sensitivity and required protection levels. As stated in Annex A 5.12, information needs to be classified based on criteria such as legal requirements, criticality and sensitivity.

Any classification should be reflective of the specific business activity of the organisation without impeding or complicating it. Information designed for public consumption should be marked as such, while sensitive data must be subject to a higher level of security.

This is the purpose of Annex A 5.12 – to ensure that organisational assets are protected by the correct classification of information.

Why is Annex A 5.12 important?

This annex is a preventative control designed to help organisations more easily identify risks by determining the correct level of protection for each information asset, based on factors like importance and sensitivity.

Annex A 5.12 cautions against the over or under classification of information. Businesses must consider availability, confidentiality, and integrity when assigning assets to their representative categories. This helps to ensure that the scheme of classification balances the need for information with the security requirements.

Taking responsibility

It is the responsibility of the asset owners to make sure that the classification scheme is implemented correctly. Those with pertinent information assets are held accountable through Annex A 5.12, asking asset owners to consider the business needs and potential impact of compromised information.

To implement the Annex successfully, organisations need to take a topical approach, considering each business unit’s specific information needs, and evaluating the level of sensitivity and criticality.

The criteria of Annex A 5.12

Annex A Control 5.12 outlines how organisations should follow key criteria when implementing a classification scheme. These are:

Establishing a topic-specific policy and addressing specific business needs

The Annex mandates that organisations stick to topic-specific policies and that the classification scheme and levels should consider specific business needs when classifying information assets.

Organisations must balance their specific business needs for the availability and use of data with the requirement for maintaining security and confidentiality.

Considering legal obligations

Certain laws may require organisations to emphasise safeguarding the integrity, confidentiality, and availability of information. As such, legal obligations must be prioritised over the organisation’s internal classification when categorising assets.

A risk-based approach allows businesses to assess the potential impact of a security breach or compromise on information assets. This allows for security measures to be prioritised.

Regularly updating and reviewing the classification

Control 5.12 recognises that the value, importance, and sensitivity of information can change over time, and organisations need to review their classifications regularly to make any necessary updates.

It is also essential to consult with other organisations to share information and resolve any disparities.

Recognising the distinct levels, standards, and terminology used by different organisations

Organisations may diverge in information classification, but this can lead to potential risks when information is exchanged. As such, organisations have a responsibility to collaborate and work together to establish uniformity in information classification. This can help to promote consistent interpretation of classification levels.

Organisational consistency

Every department must have a shared understanding of the classification levels and protocols used, in order to ensure uniformity of classifications across the entire organisation.

Implementing the right classification system

Of course, there isn’t a one-size-fits-all classification system that can be applied to every organisation’s specific needs. Organisations have the flexibility to establish and define their classification levels that work for their requirements. However, Annex 5.12 illustrates that an effective classification scheme separates information which:

• Disclosure causes no harm.
• Disclosure causes minor reputational damage or minor operational impact.
• Disclosure has a significant short-term impact on operations or business objectives.
• Disclosure seriously impacts long-term business objectives or risks the organisation’s survival.

How has control 5.12 changed from ISO 27001:2013?

In the previous version of ISO 27001, there was no mention of the need for consistency in classification systems when information is shared between organisations. ISO 27001:2022 stipulates that organisations collaborate with their counterparts to ensure uniformity in the classification and understanding of information assets.

The updated version of the standard also explicitly requires organisations to develop policies tailored to specific topics.

‍