Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
“Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.”
Plain-language meaning
Information must be grouped by protection need so people know how carefully to handle it.
Classification is not decoration. It is a decision about required protection based on confidentiality, integrity, availability, business need, legal obligations, contractual commitments, and interested-party requirements.
Why this matters
Different information needs different treatment. A public brochure, payroll record, medical record, source code repository, and critical recovery procedure should not all be handled the same way.
Classification helps the organization decide:
- who can access the information;
- how it should be stored;
- how it may be shared;
- whether it needs encryption;
- how it should be backed up;
- how long it should be retained;
- how it should be disposed of;
- what labels or handling rules apply.
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
1. Define the classification scheme
The organization should write down the classification scheme and make it available to people who create, handle, approve, or receive information.
The scheme should be simple enough to use consistently.
Too many levels create confusion. Too few levels force over-classification or under-classification.
Example scheme:
| Classification | Plain meaning | Example |
|---|---|---|
| Public | Approved for public release | Published website content |
| Internal | Internal business use | Internal procedures |
| Confidential | Restricted to authorized roles | Customer contracts, HR records |
| Highly confidential / regulated | Highest sensitivity or legal control | Medical records, identity documents, merger data |
Use the organization’s real labels. There is no universal ISO classification label set.
2. Decide default classification rules
The organization should decide whether every information item must be actively classified or whether a default applies.
Examples:
- all information defaults to Internal unless marked otherwise;
- only sensitive information must be actively labelled;
- client information follows the client’s classification scheme;
- systems may be approved to process only certain classifications.
If the default is unclear, staff will guess.
3. Assign classification responsibility
The asset owner should normally be responsible for classification.
The owner should:
- understand business value;
- understand legal and contractual requirements;
- classify the asset;
- approve handling rules;
- ensure classification is reviewed;
- update classification when sensitivity changes.
This connects to A.5.9 Inventory of Information and Other Associated Assets.
4. Define handling requirements for each classification
Classification without handling rules is useless.
For each classification, define:
- access control expectations;
- storage locations;
- transmission rules;
- printing rules;
- sharing and release approval;
- retention;
- disposal;
- backup and recovery expectations;
- labelling requirements.
5. Review and change classifications
Information sensitivity changes.
Examples:
- financial results become public after announcement;
- a project becomes less sensitive after launch;
- records pass retention deadlines;
- a client changes handling requirements;
- legal or regulatory obligations change.
The scheme should allow review, upgrade, downgrade, expiry, or removal of classification where appropriate.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should verify that the organization has a classification scheme, that it is implemented, and that it supports appropriate protection of in-scope information.
Audit tests:
- review the classification scheme;
- check whether definitions are clear and distinct;
- sample assets from the inventory and confirm classification is assigned;
- confirm handling requirements exist for each classification;
- interview users to test understanding;
- check whether asset owners participate in classification;
- verify review, upgrade, downgrade, or expiry process;
- test interaction with external classification schemes.
The auditor should reject vague schemes that sound good but do not drive handling behavior.
Evidence examples
Evidence quality
Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.
| Evidence | What it proves |
|---|---|
| Classification policy or standard | Classification scheme is documented |
| Handling matrix | Classification drives controls |
| Asset inventory | Assets have classification assigned |
| Owner approval records | Asset owners classify or approve classification |
| Training records | Staff understand labels and handling rules |
| Review records | Classifications are maintained |
| External data handling agreement | Client or third-party labels are interpreted |
| Sampled documents/data sets | Classification is applied in practice |
Strong evidence
- Scheme has clear levels and definitions.
- Handling requirements are defined for each level.
- Asset owners assign or approve classification.
- Asset inventory records classification.
- Staff understand the labels.
- Classification is reviewed and updated when sensitivity changes.
- External classification schemes are mapped or interpreted.
Weak evidence
- Labels exist but no one knows what they mean.
- Too many levels with unclear differences.
- Classification not recorded in the asset inventory.
- All information marked confidential by default with no justification.
- No process to downgrade stale information.
- Client classification labels are accepted without interpretation.
- Handling rules do not change across classifications.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| Classification scheme too complex | Users classify inconsistently |
| Classification scheme too vague | Users guess or over-classify |
| No owner accountability | Classification decisions lack business context |
| Labels not linked to handling | Classification does not affect protection |
| No review process | Stale classifications create cost or exposure |
| External schemes not mapped | Misinterpretation causes mishandling |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- There is no universal ISO classification label set.
- Classification is normally about information, not every asset type, although systems may be approved for certain classifications.
- Classification must consider confidentiality, integrity, availability, and interested-party requirements.
- Classification labels alone are not enough; handling rules are required.
- Too many classification levels can weaken consistency.
- The asset owner is responsible for classification decisions.
Related controls and concepts
- A.5.9 Inventory of Information and Other Associated Assets
- A.5.10 Acceptable Use of Information and Other Associated Assets
- A.5.13 Labelling of Information
- Information and Associated Asset Inventory
- Risk Assessment
- Statement of Applicability
- Internal Audit
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.12 requires information to be classified based on protection needs. A usable classification scheme has clear levels, clear definitions, owner accountability, handling requirements, review rules, and support for external classification schemes where relevant.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Classification
- Information handling
- Asset management
- Audit
Note Metadata
Aliases: A.5.12, Classification of Information
Source: 02 Annex A Organizational Controls/A.5.12 Classification of Information.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
9
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- ISO27001 ISMS KB - Start Here
- Internal Audit
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.13 - Labelling of Information
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- A.5 Organizational Controls MOC
- ISO 27001 A.6.3 - Information Security Awareness, Education and Training
- ISO 27001 A.6.6 - Confidentiality or Non-Disclosure Agreements
- ISO 27001 A.6.7 - Remote Working
- ISO 27001 A.7.1 - Physical Security Perimeters
- ISO 27001 A.7.10 - Storage Media
- ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities
- ISO 27001 A.7.7 - Clear Desk and Clear Screen
- ISO 27001 A.7.9 - Security of Assets Off-Premises
- A.7 Physical Controls MOC
- A.5.12 Audit Evidence Pack
- A.5.13 Audit Evidence Pack
- AQ-ISO27001-A.5.12 Classification of Information
- ISO 27001 A.8.11 - Data Masking
- ISO 27001 A.8.12 - Data Leakage Prevention
- ISO 27001 A.8.3 - Information Access Restriction
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.12 Classification of Information
- A.5 Controls Implementation Audit Risk Mapping
- ISO 27002 Annex A Control Interpretation Map
- A.5.12 Audit Checklist
- Access Control Matrix
- Clear Desk and Clear Screen Checklist
- Confidentiality Agreement Register
- DLP Scope and Rule Register
- Information Access Rule Matrix
- Information and Associated Asset Inventory
- Information Classification and Handling Matrix
- Office Room and Facility Security Assessment
- Remote Working Risk Assessment
- Storage Media Handling Procedure
- Annex A Controls MOC