UnixTime

Research Note

ISO 27001 A.5.12 - Classification of Information

Information must be grouped by protection need so people know how carefully to handle it.

On this page

Requirement

Requirement lens

Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.

“Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.”

Plain-language meaning

Information must be grouped by protection need so people know how carefully to handle it.

Classification is not decoration. It is a decision about required protection based on confidentiality, integrity, availability, business need, legal obligations, contractual commitments, and interested-party requirements.

Why this matters

Different information needs different treatment. A public brochure, payroll record, medical record, source code repository, and critical recovery procedure should not all be handled the same way.

Classification helps the organization decide:

  • who can access the information;
  • how it should be stored;
  • how it may be shared;
  • whether it needs encryption;
  • how it should be backed up;
  • how long it should be retained;
  • how it should be disposed of;
  • what labels or handling rules apply.

Implementation guidance

Implementer focus

Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.

1. Define the classification scheme

The organization should write down the classification scheme and make it available to people who create, handle, approve, or receive information.

The scheme should be simple enough to use consistently.

Too many levels create confusion. Too few levels force over-classification or under-classification.

Example scheme:

Classification Plain meaning Example
Public Approved for public release Published website content
Internal Internal business use Internal procedures
Confidential Restricted to authorized roles Customer contracts, HR records
Highly confidential / regulated Highest sensitivity or legal control Medical records, identity documents, merger data

Use the organization’s real labels. There is no universal ISO classification label set.

2. Decide default classification rules

The organization should decide whether every information item must be actively classified or whether a default applies.

Examples:

  • all information defaults to Internal unless marked otherwise;
  • only sensitive information must be actively labelled;
  • client information follows the client’s classification scheme;
  • systems may be approved to process only certain classifications.

If the default is unclear, staff will guess.

3. Assign classification responsibility

The asset owner should normally be responsible for classification.

The owner should:

  • understand business value;
  • understand legal and contractual requirements;
  • classify the asset;
  • approve handling rules;
  • ensure classification is reviewed;
  • update classification when sensitivity changes.

This connects to A.5.9 Inventory of Information and Other Associated Assets.

4. Define handling requirements for each classification

Classification without handling rules is useless.

For each classification, define:

  • access control expectations;
  • storage locations;
  • transmission rules;
  • printing rules;
  • sharing and release approval;
  • retention;
  • disposal;
  • backup and recovery expectations;
  • labelling requirements.

5. Review and change classifications

Information sensitivity changes.

Examples:

  • financial results become public after announcement;
  • a project becomes less sensitive after launch;
  • records pass retention deadlines;
  • a client changes handling requirements;
  • legal or regulatory obligations change.

The scheme should allow review, upgrade, downgrade, expiry, or removal of classification where appropriate.

Audit guidance

Auditor focus

Look for evidence that the process operates in practice, not just that a document exists.

Auditors should verify that the organization has a classification scheme, that it is implemented, and that it supports appropriate protection of in-scope information.

Audit tests:

  • review the classification scheme;
  • check whether definitions are clear and distinct;
  • sample assets from the inventory and confirm classification is assigned;
  • confirm handling requirements exist for each classification;
  • interview users to test understanding;
  • check whether asset owners participate in classification;
  • verify review, upgrade, downgrade, or expiry process;
  • test interaction with external classification schemes.

The auditor should reject vague schemes that sound good but do not drive handling behavior.

Evidence examples

Evidence quality

Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.

Evidence What it proves
Classification policy or standard Classification scheme is documented
Handling matrix Classification drives controls
Asset inventory Assets have classification assigned
Owner approval records Asset owners classify or approve classification
Training records Staff understand labels and handling rules
Review records Classifications are maintained
External data handling agreement Client or third-party labels are interpreted
Sampled documents/data sets Classification is applied in practice

Strong evidence

  • Scheme has clear levels and definitions.
  • Handling requirements are defined for each level.
  • Asset owners assign or approve classification.
  • Asset inventory records classification.
  • Staff understand the labels.
  • Classification is reviewed and updated when sensitivity changes.
  • External classification schemes are mapped or interpreted.

Weak evidence

  • Labels exist but no one knows what they mean.
  • Too many levels with unclear differences.
  • Classification not recorded in the asset inventory.
  • All information marked confidential by default with no justification.
  • No process to downgrade stale information.
  • Client classification labels are accepted without interpretation.
  • Handling rules do not change across classifications.

Common failures

Implementation watchouts

These are the fastest ways this topic fails in real ISMS work.

Failure Why it matters
Classification scheme too complex Users classify inconsistently
Classification scheme too vague Users guess or over-classify
No owner accountability Classification decisions lack business context
Labels not linked to handling Classification does not affect protection
No review process Stale classifications create cost or exposure
External schemes not mapped Misinterpretation causes mishandling

Exam traps

Exam focus

Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.

  • There is no universal ISO classification label set.
  • Classification is normally about information, not every asset type, although systems may be approved for certain classifications.
  • Classification must consider confidentiality, integrity, availability, and interested-party requirements.
  • Classification labels alone are not enough; handling rules are required.
  • Too many classification levels can weaken consistency.
  • The asset owner is responsible for classification decisions.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

A.5.12 requires information to be classified based on protection needs. A usable classification scheme has clear levels, clear definitions, owner accountability, handling requirements, review rules, and support for external classification schemes where relevant.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Organizational controls
  • Classification
  • Information handling
  • Asset management
  • Audit

Note Metadata

Aliases: A.5.12, Classification of Information

Source: 02 Annex A Organizational Controls/A.5.12 Classification of Information.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

9

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Audit checks

Audit questions, checklists, or review material connected to the control.

04

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.