When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this to define classification levels, handling rules, labelling expectations, owner responsibilities, and review rules for information assets.
Classification matrix
| Classification | Definition | Example information | Access | Storage | Transmission | Printing | Labelling | Disposal | Review/expiry |
|---|---|---|---|---|---|---|---|---|---|
| Public | Approved for public release | Published website content | Public | Approved public locations | Normal channels | Normal | Optional/public mark | Normal | Review before publication |
| Internal | Internal business use | Internal procedures | Internal users by need | Approved internal systems | Internal channels | Controlled | Label where useful | Secure disposal if needed | Periodic |
| Confidential | Restricted business information | Contracts, HR files | Need-to-know | Restricted repositories | Encrypted/approved secure transfer | Secure print | Required | Secure disposal | Review on change |
| Highly confidential / regulated | Highest sensitivity or legal control | Medical records, identity documents, merger data | Strictly limited | Restricted with logging | Strong encryption/approved transfer | By exception | Required or controlled alternative | Verified destruction | Review/expiry required |
Classification decision checklist
- Confidentiality impact assessed.
- Integrity impact assessed.
- Availability impact assessed.
- Legal, regulatory, contractual, and interested-party requirements assessed.
- Asset owner assigned.
- Handling requirements defined.
- Labelling method defined.
- Review or expiry requirement defined.
- External classification mappings documented where relevant.
Related notes
- Template
- Iso27001
- A5 12
- A5 13
- Classification
Note Metadata
Aliases: Classification and Handling Matrix, Information Classification Matrix
Source: 90 Templates/Information Classification and Handling Matrix.md
Related Notes
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.13 - Labelling of Information
- ISO 27001 A.5.14 - Information Transfer
- A.5.12 Audit Evidence Pack
- A.5.13 Audit Evidence Pack
- ISO 27001 A.8.11 - Data Masking
- ISO 27001 A.8.3 - Information Access Restriction
- A.5 Organizational Controls Implementation Guide
- ISO 27002 Annex A Control Interpretation Map
- A.5.12 Audit Checklist
- A.5.13 Audit Checklist
- Information and Associated Asset Inventory
- Information Transfer Rules Matrix
- Sensitive Function and Export Control Checklist
- Templates MOC