ISO 27001 Control 5.12: Information Classification
Information classification is the foundation of effective data protection. Control 5.12 requires your organization to categorize information based on confidentiality, integrity, and availability needs—ensuring every asset receives appropriate security controls. Without clear classification, SMBs struggle to allocate security resources efficiently and often over-protect non-critical data while under-protecting sensitive assets.
What this means
This control mandates that your organization establish and apply a classification scheme for all information assets. Classification must reflect the confidentiality, integrity, and availability requirements of your business, plus any obligations to external stakeholders (customers, regulators, partners). The goal is to create a consistent framework that guides how information is handled, protected, stored, and disposed of throughout its lifecycle.
How to comply
- 1.Define classification levels (e.g., Public, Internal, Confidential, Restricted) with clear criteria for each tier
- 2.Document the CIA triad impact for each classification level—what happens if confidentiality, integrity, or availability is compromised
- 3.Map all information assets to appropriate classification levels based on business impact and regulatory requirements
- 4.Establish labeling and marking standards so classified information is easily identified across systems and physical locations
- 5.Create handling procedures for each classification level—who can access it, how it's stored, transmission requirements, retention periods
- 6.Define roles responsible for initial classification and periodic reclassification reviews
- 7.Communicate the classification policy to all employees and enforce compliance through training and monitoring
- 8.Review and update classifications annually or when business context changes
Evidence auditors look for
- Information classification policy document detailing classification levels and CIA criteria
- Classification matrix showing all asset types and their assigned levels
- Labeling standards and implementation examples (metadata tags, file labels, container markings)
- Handling procedures for each classification level (access, storage, encryption, transmission, disposal)
- Asset register or inventory with classification assignments
- Evidence of classification training and awareness communications
- Records of classification reviews and updates over the past 12 months
- Examples of properly classified and labeled information in use
- Data flow diagrams showing information movement and protection at each classification level
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates information asset discovery and classification tracking, flagging misclassified or unclassified data across your infrastructure so you stay audit-ready without manual spreadsheets.
See how GRCWatch handles this control automatically
Start free trial