ISO 27001 Data Classification: How Do You Do It?

Data Classification is one of the most fascinating and perplexing problems in the study of information security management. Classifying data has been around for quite some time, so it was probably the first part of information security to be overseen. Governments, militaries, and private companies have been using secret classification for their data since long before the advent of computers.

ISO 27001 provides a roadmap for organizing and protecting sensitive information by following four steps

1. We are entering the asset in the Inventory of Assets.
2. Classification of information.
3. Information labelling.
4. Information handling.

This means that: (1) the information should be added to the Inventory of Assets (control 8.1.1 of ISO 27001), (2) it should be classified (control 8.2.1), (3) it should be labelled (control 8.2.2), and (4) it should be handled in a safe way (Control 8.2.3).

Most companies will make an Information Classification Policy, which should explain all four steps for classifying information. See the text below for each of these steps.

Asset inventory (Asset register)

Most people focus on items like laptops and servers when we discuss information assets. You’ll also need to think about many other things, though. You can include people, intellectual property, and intangible assets like your company’s brand in your asset inventory.

What should be included in an ISO 27001 asset inventory?

• Information (or data)
• Intangibles, including trademarks, brands, and reputation
• People – Employees, contract workers, volunteers, etc.
• Physical assets associated related to their infrastructure and processing:
• Hardware is typically used to refer to computers, servers, workstations, networks, mobile devices, etc.
• Software – Off-the-shelf or custom software
• Services – The basic services offered to customers (e.g. database systems, email etc.)
• Sites, buildings, offices, and other locations

Your next step is to complete the following three exercises after creating your asset inventory:

• Filtering
• Prioritization
• Categorization

You can see a typical asset inventory below

Defining classification levels

Data, printed material and email attachments should be classified to ensure security.
Defining classification levels helps organizations secure sensitive assets. Classifying information assets and defining security requirements helps prevent unauthorized access to sensitive data.

Business value, legal requirements, sensitivity, and organization criticality should classify information assets. Information assets should be classified by sensitivity and value.

The Asset Management Policy should document the number of classification tiers. Your organization should also describe each classification tier. e.g.

The following four classification levels apply to classified information:

1. Public – Information disclosure doesn’t hurt;
2. Internal-only – It embarrasses the organization.
3. Confidential -The exposure will likely affect operations or tactical goals in the short term.
4. Restricted -Organizational survival threatens long-term strategic goals.

The CIA triad can be used as a data classification framework, with each triad aspect representing a different classification level.

Data classification can consider other factors such as regulatory compliance, legal requirements, and business needs in addition to confidentiality, integrity, and availability when determining the data classification level.

Information labelling

Procedures for labelling information need to cover both physical and digital information, as well as the assets that go with it. The labels will follow the classification scheme in A.8.2.1. The labels should be easy to recognize. The protocols will tell people where and how to put labels based on how the information is gathered or how the assets are managed, depending on the media type.

The process of attaching labels or metadata to information to indicate its level of sensitivity and the level of protection required is known as information labelling. Labels indicate the level of confidentiality, integrity, and availability of information and can take the form of text, symbols, or colours.

The standard requires organizations to develop an information labelling policy that outlines the various levels of classification and the specific labels for each level. The policy should also outline the procedures for applying and removing labels and the roles and responsibilities of individuals and groups when dealing with information labelled with different labels.

Procedures that find places where labelling is missing, like labelling non-confidential information to cut down on workloads. The labelling process should be clear to both employees and contractors. Sensitivity or critical information should be labelled with the right classification label when it comes out of the system.

Classified information must be labelled before agreements to share information can be made. Physical labels and metadata are the most common types of labels. Information labelling and the assets that go with it can sometimes be bad.

Information labeling in Office 365 is a feature that allows users to categorize and protect sensitive information within the Office 365 environment. It can be used to apply labels to emails, documents, and other types of files stored in Office 365, such as OneDrive and SharePoint.

Labels can be applied to files and emails by selecting them and then selecting a label from a predefined list. These labels can be used to indicate the level of sensitivity of the information, such as Confidential, Private, or Public. Once a label is applied, Office 365 can automatically apply security measures such as encryption or access controls to protect the information.

In addition to manual labeling, Office 365 includes automatic labeling capabilities, which can be used to automatically classify and protect information based on predefined rules and conditions. For example, a company can set up a rule that automatically adds a Confidential label to any email that contains a social security number.

Information labeling in Office 365 is an important aspect of protecting sensitive information, and it assists organizations in complying with data protection regulations and industry standards such as ISO27001. It enables organizations to implement security measures such as encryption, access controls, and data loss prevention, which help to protect sensitive information from unauthorized access or disclosure.

Handling of assets

Asset management procedures must be created and implemented following the information classification scheme. Access restrictions should be considered for each classification level. Keeping a formal authorisation record, IT assets are stored by manufacturer specifications, and media are labelled for authorized users.

Handling of Assets refers to the inorganization’s procedures for managing and maintaining its physical and digital assets. This includes equipment, property, software, data, and other resources critical to the organisation. Assets should be handled with care to ensure that they are properly protected, maintained, accounted for, and used efficiently and effectively. Regular inspections, maintenance schedules, and inventory management are examples of this.

For example, a company may have a policy requiring all computers to be checked and repaired every six months to ensure proper operation. This is a method of managing the company’s assets to prevent them from breaking down and causing problems.

In layman’s terms, asset management is managing and maintaining an organization to ensure they are in good condition and used efficiently.

Adopting the principles of ISO 27001 Data Classification helps to create a culture of security and accountability in any organization. By putting data protection first, we can reduce the risk of data breaches and make sure that business runs safely and securely.

---

You can read my other post about risk management here