Control 5.12 – Classification of Information

Control

Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.

What this means

There needs to be a classification scheme implemented to protect information assets and this classification scheme should be documented and communicated to all staff and other relevant parties such as contractors, data processors etc.

When classifying documents the organisation needs to consider the confidentiality, integrity, and availability requirements in the classification scheme.

Try to keep the classification scheme simple and easy to explain.

We tend to use the following:

Public – items classified as public do not need to be labelled and include information such as the website content, social media posts, newsletters etc. The easy way to think of it is that if a piece of paper with information was left on the street it would not be damaging to the organisation.

Restricted – This classification is usually documents and information which is readily available within the business but you would not want it to be shared generally outside the organisation. There would be a significant short term impact on operations or reputational damage on the organisation if it was disclosed incorrectly. Company policies and procedures would fit into this category. Business intelligence about the operations of the business, financial forecasts etc may fit into this category depending on the size of the organisation and the structure. Some of this information may be made available to outside organisations on request such as terms and conditions and pricing.

Confidential – This is the highest level of classification. This classification would include documents and information which would cause significant harm, both reputationally and financially, to the organisation if it was shared publicly or inadvertently disclosed. The information is usually only accessible by specific personnel or departments. For example suppliers list in the finance department, marketing lists in the marketing department etc, staff information in HR. It may be password protected if transferred. There may be regulatory or legal implications if disclosed incorrectly.

When considering which classification to use for an asset, business needs for sharing, restricting, or ensuring integrity and availability of information should be considered as well as any legal requirements concerning confidentiality, integrity, or availability.

If you are sharing information with another organisation there should be a clear understanding of the classification of information shared, so that the continued handling of the information based on the classification is correct.

If you want to talk about information security in your organisation then please book a free call here or email us here