The term information classification may seem to have an obvious definition — how information is classified in a system. However, there are some complexities to this process, especially regarding data security and regulations around access to the information. It is important for IT administrators and business managers to understand compliance rules and regulations, industry best practices, and the best approach to security and assigning access rights within the organization. Information classification refers to how data is grouped in an organization’s computer system, often using a database structure. This means, for example, that data from the marketing department does not mix with data from the HR department. If these files were stored without any organization, they would be difficult to find later. Using this type of data storage allows you to restrict access to certain groups of information only to those who need it. For example, you may have certain files that the financial manager needs to access, but a new, entry-level accountant does not. This type of restriction also protects your organization’s data from breaches or hackers.
ISO 27001 compliance
An organization will classify its information based on who needs to access it. Most systems use four levels of authorization:
- Confidential: It is only for senior management.
- Restricted: Most employees have access, but some may not.
- Internal: All employees have access; no one outside can access it.
- Public: Everyone has access, including those not working with the organization.
There are often subcategories or different levels in larger organizations, and different companies may use different names for these access levels. Organizations that take data access and protection seriously will use the Information and Security Management System (ISMS) Standard, ISO 27001 Compliance, for their databases.
This international standard is recommended by regulatory bodies all over the world as the best practices to protect digital data within organizations. ISO/IEC 20071:2013, usually referred to as simply ISO27001, specifies how ISMSs should be managed. The latest version of this standard was published in September 2013, updating the 2005 guidance.
ISO 27001:2013 steps
ISO 27001 has 10 management system clauses to support implementation of an ISMS. These are as follows:
- Normative References
- Terms and Definitions
- Planning and Risk Management
- Performance Evaluation
Implementing an ISMS with ISO 27001 compliance includes:
- Scoping the project, which involves auditing systems and finding problem areas that need to be addressed.
- Securing commitment from management, along with the budget to implement new standards.
- Identifying interested parties and contractual requirements, especially legal and regulatory standards.
- Conducting a risk assessment.
- Reviewing and implementing the required controls.
- Developing internal competence to manage this project, which might require specific training, finding contractors, or hiring some new staff.
- Documenting each step and how to manage the system.
- Conducting staff awareness training.
- Reporting information, especially to help evaluate the risk assessment plan.
- Implementing ongoing monitoring, measuring, and auditing of the ISMS to ensure compliance.
- Implementing any preventative and corrective measures needed.
Information classification clause A8.2 compliance
Standards for information classification are in Clause A8.2 of ISO 27001. This standard includes the following steps to meet compliance:
- Enter your assets into an inventory. Collate all your information into an inventory or asset register. This should be a new inventory, not using the previous version. While you enter these assets, note who owns or is responsible for each asset and what format it is in, including hard copies and print media.
- Classify. Once you have gathered all the information, begin to classify it. This might involve guidelines from senior management based on the risk assessment. For example, information with bigger risks usually requires a higher level of confidentiality, but there may be exceptions.
- Label. Once information has been classified, you need to create a system for labelling. This should be clear and consistent, although there may be different standards for digital documents compared to hard copies. It might be important to make sure these are cross-referenced.
- Create handling rules. After labelling is complete, establish rules to protect each piece of information based on the format and classification. Sensitive documents might have tight restrictions on their access, while old paper files may be stored in an unlocked filing cabinet, as they are public information.
Why is information classification compliance important?
Securing your data against breaches and other cyber threats is more important than ever. With more office workers working from home and accessing their data remotely from multiple devices, understanding where data belongs and who should have access to it is a crucial component of keeping your organization secure against threats. Once a database structure is in place with specific permissions, and the system has been documented properly for everyone in the organization to access and understand the process, you can monitor access to notice potential breaches, find weak points that might become breaches, and implement security measures to keep data safe. Following ISO 27001 compliance guidelines also makes it easier to implement other security standards based on government regulations or industry guidelines. Some of these regulations may include the following:
- HIPAA compliance for health care organizations
- GDPR compliance for the personal data of citizens of the European Union
- PCI compliance, which helps to classify the sensitivity of data
- SOC 2 compliance for service organizations that maintain confidential information
Cloud storage solutions are cheap, and many organizations are moving to this type of data storage as a solution to internal needs. However, cloud storage means your information is sequestered on a server with others’ information, so it is even more important to develop strong information classification systems to monitor potential security threats.
Information Classification – Why It Matters? PECB University.
ISO 27001, the International Information Security Standard. ITGovernance.co.uk.
ISO/IEC 27001:2013(en). (October 2013). ISO.
How to Document the Scope of Your ISO 27001 ISMS – With Template. (December 2019). ITGovernance.co.uk.
What is ISO 27001 Information Classification? (February 2019). ITGovernance.co.uk.