ISO 27001:2022 A 5.12 Classification of information, A 5.13 Labeling of information

Information classification is a process in which organisations assess the data that they hold and the level of protection it should be given. Organisations usually classify information in terms of confidentiality – i.e. who is granted access to view it.Data Classification or Information Classification is the process of classifying corporate information into significant categories to ensure critical data is protected. For example, financial files within an organization should not be kept together with files from the public relations department. Instead, they should be maintained in separate folders, which are accessible only by individuals who are entitled to working with each kind of data. Thus, the stored information stays safe and can be easily accessed when needed. A typical system contains four levels of confidentiality:

  • Confidential (only senior management have access)
  • Restricted (most employees have access)
  • Internal (all employees have access)
  • Public information (everyone has access)

The levels shouldn’t be based on employees’ seniority but on the information that’s necessary to perform certain job functions. For example. Doctors and nurses need access to patients’ personal data, including their medical histories, which is highly sensitive. However, they shouldn’t have access to other types of sensitive information, such as financial records. You just need to follow simple steps.

  1. Enter your assets into an inventory
    The first step is to collate all your information into an inventory (or asset register). You should also note who is responsible for it (who owns it) and what format it’s in (electronic documents, databases, paper documents, storage media, etc.).
  2. Classification
    Next, you need to classify the information. Asset owners are responsible for this, but it’s a good idea for senior management to provide guidelines based on the results of the organisation’s ISMS risk assessment. Information that would be affected by more significant risks should usually be given a higher level of confidentiality. But be careful, because this isn’t always the case. There will be instances where sensitive information must be made available to a broader set of employees for them to do their job. The information may well pose a threat if it’s confidentiality is compromised, but the organisation must make it widely available in order to function.
  3. Labeling
    Once you’ve classified your information, the asset owner must create a system for labeling it. You’ll need different processes for information that’s stored digitally and physically, but it should be consistent and clear. For example, you might decide that paper documents will be labelled on the cover page, the top-right corner of each subsequent page and the folder containing the document. For digital files, you might list the classification in a column on your databases, on the front page of the document and the header of each subsequent page.

A 5.12 Classification of information


Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.


To ensure identification and understanding of protection needs of information in accordance with its importance to the organization.

ISO 27002 Implementation Guidance

The organization should establish a topic-specific policy on information classification and communicate it to all relevant interested parties. The organization should take into account requirements for confidentiality, integrity and availability in the classification scheme. Classifications and associated protective controls for information should take account of business needs for sharing or restricting information, for protecting integrity of information and for assuring
availability, as well as legal requirements concerning the confidentiality, integrity or availability of the information. Assets other than information can also be classified in compliance with classification of information, which is stored in, processed by or otherwise handled or protected by the asset. Owners of information should be accountable for their classification. The classification scheme should include conventions for classification and criteria for review of the classification over time. Results of classification should be updated in accordance with changes of the value, sensitivity and criticality of information through their life cycle. The scheme should be aligned to the topic-specific policy on access control and should be able to address specific business needs of the organization. The classification can be determined by the level of impact that the information’s compromise would have for the organization. Each level defined in the scheme should be given a name that makes sense in the context of the classification scheme’s application.
The scheme should be consistent across the whole organization and included in its procedures so that everyone classifies information and applicable other associated assets in the same way. In this manner, everyone has a common understanding of protection requirements and applies appropriate protection. The classification scheme used within the organization can be different from the schemes used by other organizations, even if the names for levels are similar. In addition, information moving between organizations can vary in classification depending on its context in each organization, even if their classification schemes are identical. Therefore, agreements with other organizations that include information sharing should include procedures to identify the classification of that information and to interpret the classification levels from other organizations. Correspondence between different schemes can be determined by looking for equivalence in the associated handling and protection methods.

Other information

Classification provides people who deal with information with a concise indication of how to handle and protect it. Creating groups of information with similar protection needs and specifying information security procedures that apply to all the information in each group facilitates this. This approach reduces the need for case-by-case risk assessment and custom design of controls. Information can cease to be sensitive or critical after a certain period of time. For example, when the information has been made public, it no longer has confidentiality requirements but can still require protection for its integrity and availability properties. These aspects should be taken into account, as over-classification can lead to the implementation of unnecessary controls resulting in additional expense or, on the contrary, under-classification can lead to insufficient controls to protect the information from compromise. As an example, an information confidentiality classification scheme can be based on four levels as follows:

a) disclosure causes no harm;
b) disclosure causes minor reputation damage or minor operational impact;
c) disclosure has a significant short-term impact on operations or business objectives;
d) disclosure has a serious impact on long term business objectives or puts the survival of the organization at risk

A 5.13 Labeling of information


An appropriate set of procedures for information labeling should be developed and implemented in accordance with the information classification scheme adopted by the organization.


To facilitate the communication of classification of information and support automation of information processing and management.

ISO 27002 Implementation Guidance

Procedures for information labeling should cover information and other associated assets in all formats. The labeling should reflect the classification scheme established in 5.12. The labels should be easily recognizable. The procedures should give guidance on where and how labels are attached in consideration of how the information is accessed or the assets are handled depending on the types of storage media. The procedures can define:

  1. cases where labeling is omitted (e.g. labeling of non-confidential information to reduce workloads);
  2. how to label information sent by or stored on electronic or physical means, or any other format;
  3. how to handle cases where labeling is not possible (e.g. due to technical restrictions).

Examples of labeling techniques include:

  1. physical labels;
  2. headers and footers;
  3. metadata;
  4. watermarking;
  5. rubber-stamps.

Digital information should utilize metadata in order to identify, manage and control information, especially with regard to confidentiality. Metadata should also enable efficient and correct searching for information. Metadata should facilitate systems to interact and make decisions based on the associated classification labels. The procedures should describe how to attach metadata to information, what labels to use and how data should be handled, in line with the organization’s information model and ICT architecture. Relevant additional metadata should be added by systems when they process information depending on its information security properties. Personnel and other interested parties should be made aware of labeling procedures. All personnel should be provided with the necessary training to ensure that information is correctly labelled and handled accordingly. Output from systems containing information that is classified as being sensitive or critical should carry an appropriate classification label.

Other information

Labeling of classified information is a key requirement for information sharing. Other useful metadata that can be attached to the information is which organizational process created the information and at what time. Labeling of information and other associated assets can sometimes have negative effects. Classified assets can be easier to identify by malicious actors for potential misuse. Some systems do not label individual files or database records with their classification but protect all information at the highest level of classification of any of the information that it contains or is permitted to contain. It is usual in such systems to determine and then label information when it is exported.

Businesses handle vast amounts of data every day – customer information, invoice records, order history, email lists, user data in software — the list goes on. However, not all data is equally important, and some pieces will require more protection than others. Such sensitive and important information needs to be protected from vulnerabilities to security threats. That is why information classification is so important. It helps to determine which information needs special protection and how to label and classify your data.A well-planned data classification system makes important information easy to manipulate and track, besides making data easier to locate and retrieve. The most common reasons why information classification is of particular importance are:

  1. Efficiency – on a basic level, businesses that have their information classified are able to manage and deliver day-to-day operations more efficiently. Data can be easily located and retrieved; changes easily traced.
  2. Security – protecting sensitive information is the main idea behind information classification. It is a useful tactic to classify information in order to facilitate appropriate security responses according to the type of information being retrieved, transmitted, or copied. Data encryption, data storage in safe servers with strong firewalls, and compliance with data protection standards can help immensely to protect against outside threats. Besides, there can be inside threats that are equally dangerous – like intentional data theft, accidental data breaches. Hence it is very important to restrict information and prevent threats.
  3. Safety – information classification helps create security awareness throughout the organization. The responsibility of protection of information lies with everyone handling the information. The system ensures that employees understand the value of the information they work with and safeguard that information.
  4. Compliance – information classification in information security helps organizations label information as sensitive, protect it against threats, and help comply with regulations . Organizations can easily implement standards to classify information.

To implement a robust classification of information scheme, organisations should adopt a topic-specific approach, understand each business unit’s needs for information, and determine the level of sensitivity and criticality of information. The organisations must take into account the the following seven criteria when implementing a classification scheme:

  • Establish a topic-specific policy and address the specific business needs. The classification scheme and levels should take specific business needs into account.
  • Take into account business needs for sharing and use of information and the need for availability. If you assign an information asset to a classification category that is unnecessarily higher, this may bring the risk of disruption to your critical business functions by restricting access to and use of information. Therefore, you should strive to find a balance between your specific business needs for availability and use of information and the requirements for confidentiality and integrity of that information.
  • Consider legal obligations. Some laws may impose stricter obligations on you to ensure confidentiality, integrity and availability of information. When assigning information assets to categories, legal obligations should take priority over your own classification.
  • Take a risk-based approach and consider the potential impact of a compromise. Each type of information has a different level of criticality to each business’s operations and has a different level of sensitivity depending on the context. In implementing classification of information scheme, organisations should ask what impact would the compromise of integrity, availability and confidentiality of this information have on the organisation? For instance, databases of professional email addresses of qualified leads and health records of employees widely differ in terms of the level of sensitivity and the potential impact.
  • Regularly review and update the classification. The value, criticality and sensitivity of information is not static and can change throughout the life cycle of the information. Therefore, you need to regularly review each classification and make necessary updates. As an example of such change, the disclosure of information to the public, which greatly reduces the value and sensitivity of information.
  • Consult with other organisations you share information with and address any differences.There is no one way to classify information and each organisation can have different names, levels and criteria when it comes to classification of information schemes. These differences may lead to risks when the two organisations exchange information assets with each other. Therefore, you need to put in place an agreement with your counterpart to ensure that there is consistency in classification of information and interpretation of classification levels.
  • Organisational-level consistency. Each department within the organisation should have a common understanding of classification levels and procedures so that classifications are consistent across the entire organisation.

The valuable data every organization needs to be protected commensurate with how it is classified. Customers, employees, and vendors entrust the organization with a given data set and there is an implied bargain that the data so entrusted will be protected from any use or disclosure other than as agreed to when the data was given. To do this, each organization has to govern the data it uses so that it will be received, made, used, stored, shared, or destroyed in a purposeful manner that recognizes the pact to protect data in its’s daily mission. Areas to consider in a data governance program include:

  • Sensitivity Level. An Organization should be classifying data as to sensitivity to assure that proper security protection is in place appropriate with the given data set.
  • Retention Period. Consistent with records management practices, an organization needs to be aware of the period in which data is to be retained, to assure that data’s availability and integrity for that retention period.
  • Data Utilization. In every part of an organization that controls a given data set, appropriate procedures for how that data is utilized must be established. This includes access restrictions, proper handling, logging, and auditing.
  • Data Back-up. How an Organization creates back-up copies of data and software is a critical element. Procedures need to be in the place that memorializes and verify the implementation and inventory of back-up copies.
  • Management of Storage Media. Processes to ensure proper management of storage media, including restrictions of types of media, audit trails for movement of media, secure disposal of media no longer in use, and redundant storage.
  • Electronic Data Transfers.
  • Disposal of Media.

Information assets may not be equally important, nor equally sensitive or confidential in nature, nor require the same care in handling. One common method of ascertaining the importance of assets is data classification. Information assets should be classified according to their need for security protection and labeled accordingly. To begin to start with federal or state laws, regulations, rules, or institutional policies that require certain information assets to be protected. Pick a classification metric. Keep it simple. You may want to use something like (lowest to highest)

Public,Internal, Restricted, Confidential

Different assets have different impacts on the continuity and reputation of the organization. Once you have determined the importance of your various organizational assets, you can begin the process of determining how best to protect them. Many methods are employed to protect assets, ranging from policies to technical security controls. Additionally, assets must be protected throughout their life cycle, from creation or purchase through final disposal or long-term storage. Protection measures range from addressing purchasing controls to managing access by appropriate personnel to ensuring adequate physical security for assets throughout their lifetime.Some organization has established Data Stewardship policies to help ensure responsibilities for protecting data are effectively accomplished. Other organizations conduct regular security assessments of assets considered to be critical for the functioning of an organization. They may also address asset protection through physical security measures, or through background checks for newly hired and continuing personnel.

Labeling of information

Labeling of Information is a procedure that enables organisations to put their information classification scheme into practice by attaching classification labels to relevant information assets. Once you have your classification scheme in place you are going to then label information and assets accordingly. You are going to have to

  • Implement procedures for information labelling
  • Cover information and other associated assets in all formats

It is good practice to consider where labeling is omitted such as the case of non confidential information so that we can reduce the workload on people. The procedures that you write should give guidance on where and how labels are attached and the different types of storage media. You will look at how to label information sent by or stored on physical, electronic and because the standard likes to catch everything, on what it helpfully calls ‘any other format’. Nothing like future proofing for the unknowns. Of course there may be situations where labeling is not possible, and this is fine, as long as you have covered how to handle those cases. How you handle it may be to tag it with meta data or put in place some other compensating controls such as having an exception list and managing it via risk management. When you have your labeling processes and procedures you are going to train staff on how to use and follow them and be able to evidence that you did so.

Control 5.13 addresses how organisations should develop, implement and manage a robust information labeling procedure based on the classification scheme adopted through Control 5.12. It identifies four specific steps that organisations should implement to carry out labeling of information..

1) Develop and implement an Information Labeling Procedure
Organisations should develop an organisation-wide Information Labeling Procedure that adheres to the information classification scheme created in accordance with Control 5.12. Furthermore, 5.13 requires that this Procedure be extended to all information assets, regardless of whether it is in digital or paper format and that the labels must be easy to recognize. While there is no limit to what this Procedure document can contain, the Control 5.13 states that the Procedures should at least include the following:

  • Description of the methods to attach labels to information assets depending on the storage medium and how the data is accessed.
  • Where the labels are to be attached for each type of information asset.
  • Which information assets will not be labelled, if any. For instance, an organisation may omit labelling public data to streamline the information labeling process.
  • Description of measures for cases where it is not possible to label certain types of information due to technical, legal or contractual limitations.
  • The rules on how the labeling of information transmitted to internal or external parties should be handled.
  • For digital assets, the Procedure must explain how the metadata should be inserted.
  • Names of labels to be used for all assets.

2) Provide Adequate Training to Staff on How to Adhere to the Labeling Procedure
The Procedure for labeling of Information can be effective only to the extent that Personnel and other relevant stakeholders are well-informed about how to correctly label information and how to deal with labelled information assets.Therefore, organisations should provide staff and other relevant parties with training on the Procedure.

3)Use Metadata for Labeling of Digital Information Assets
Control 5.13 requires the use of metadata for labeling of digital information assets.Furthermore, it notes that the metadata should be deployed in a way that makes it easy and efficient to identify and search for information and also in a way that streamlines the decision-making process between systems related to labelled information.

4) Take Extra Measures to Label Sensitive Data That May Outflow of the System
Considering the risks involved in outward transfer of sensitive data from systems, 5.13 recommends organisations to label these information assets with those most appropriate to the level of criticality and sensitivity of the information concerned.

Examples of labelling techniques can include:

  • Headers and footers
  • Physical Labels
  • Watermarks
  • Rubber Stamps
  • Metadata

Now the standard starts to stray into implementation territory with its guidance on metadata. Metadata has its place but we have to look at the appropriateness of the control to our risk and our organisation. Remember that the annex controls are guidance for consideration and you do not HAVE to implement them, only consider them, so if metadata is not appropriate for you that is fine, just note it down and manage it via your risk management process, accepting the risk. Where it does apply and makes sense then you are looking at metadata to identify, manage and control information, especially in relation to confidentiality. It can help if it also makes it more efficient for searching for information but you can see here how the standard starts to tell you what to do not what is expected of you. Metadata searching for example is going to be reliant on specific technologies and implementations. If you are using metadata then your procedures are going to describe how to attach metadata to information, what labels to use and how data should be handled.

Your Organization may already have property control of assets where items over a certain dollar amount are automatically tagged with a unique, usually numeric, identifier by Property Control. If not, create one yourself. Use your newly created inventory of assets to assign a unique identifier to each one. Prepare labels that are easy to recognize and sturdy, and attach them to a visible place on the equipment. Make sure you clarify when labels should not be used on equipment. This could be based on the dollar amount or the level of risk you’ve assigned to the asset. Information needs labeling as well. Develop your information labeling procedures based on the data classification schema you developed previously. Metadata is a common type of information label. Do be careful how you manage the information you may have labeled as restricted or confidential. Because of the labeling, be careful how you manage restricted/sensitive or confidential information. It is much easier to steal or misuse when the assets are easy to identify.

Information classifications and labeling help prioritize data protection efforts to increase data security and regulatory compliance. Among its benefits are improved user productivity and decision making and reduced costs by eliminating data that’s not needed.

  • Rediscovery of business – Identification of information is the beginning step in Information classification. Organizations, therefore, need to actively discover information that is generated, stored, and accessed by departments within the organization. This information discovery basically leads to rediscovering the business. This allows decision-makers to review how information is empowering the business or possibly functioning ineffectively.
  • Raises awareness of cyber risk – Information security teams connect face to face with business owners to discuss information security and how it could impact their business. Thus, owners have a direct contact point where to reach if they have questions or need help regarding managing cyber risks or incidents. Awareness of cyber threats and information security management rises to realistic levels, prompting the issue to be discussed and accepted at all levels throughout the organization.
  • Optimize risk and resources – defining information classification improves risk and information classification resources, leading to efficient and effective protection of information. By classifying data based on sensitivity and level of business impact, businesses are informing which information must be protected with high priority, thereby deciding where to spend the information security budgets.
  • Limit dissemination – well-defined information classification is controlled by laws and regulations, thereby allowing businesses to restrict their dissemination on a need-to-know basis. This reduces the chances of data theft or loss, which helps to minimize penalties charged due to non-compliance.

Leave a Reply