UnixTime

Research Note

Information Classification and Handling Matrix

Use this to define classification levels, handling rules, labelling expectations, owner responsibilities, and review rules for information assets.

On this page

When to use this

Practical use

Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.

Use this to define classification levels, handling rules, labelling expectations, owner responsibilities, and review rules for information assets.

Classification matrix

Classification Definition Example information Access Storage Transmission Printing Labelling Disposal Review/expiry
Public Approved for public release Published website content Public Approved public locations Normal channels Normal Optional/public mark Normal Review before publication
Internal Internal business use Internal procedures Internal users by need Approved internal systems Internal channels Controlled Label where useful Secure disposal if needed Periodic
Confidential Restricted business information Contracts, HR files Need-to-know Restricted repositories Encrypted/approved secure transfer Secure print Required Secure disposal Review on change
Highly confidential / regulated Highest sensitivity or legal control Medical records, identity documents, merger data Strictly limited Restricted with logging Strong encryption/approved transfer By exception Required or controlled alternative Verified destruction Review/expiry required

Classification decision checklist

  • Confidentiality impact assessed.
  • Integrity impact assessed.
  • Availability impact assessed.
  • Legal, regulatory, contractual, and interested-party requirements assessed.
  • Asset owner assigned.
  • Handling requirements defined.
  • Labelling method defined.
  • Review or expiry requirement defined.
  • External classification mappings documented where relevant.