ISO 27001:2022 Annex A Control 5.12

Classification of Information

Book a demo

young,business,colleagues,working,in,a,busy,open,plan,office

The classification of information is a fundamental process that enables organisations to group their information assets into relevant categories based on their required level of protection.

According to ISO 27001:2022 Annex A 5.1.2, information must be classified based on various factors, including legal requirements, value, criticality, and sensitivity to unauthorised disclosure or modification. This classification should be designed to reflect the unique business activity of the organisation without impeding or complicating it.

For instance, information intended for public consumption must be suitably marked, whereas confidential or commercially sensitive data must be accorded a higher degree of security. It is crucial to note that the classification of information ranks among the most significant controls in Annex A to ensure that organisational assets are protected.

Purpose of ISO 27001:2022 Annex A 5.12

Annex A Control 5.12 is a preventive control that enables organisations to identify risks by determining the appropriate level of protection for each information asset based on its importance and sensitivity.

In the Supplementary Guidance, Annex A Control 5.12 explicitly cautions against the over- or under-classification of information. Organisations must consider the confidentiality, availability, and integrity requirements when assigning assets to their respective categories. This helps to ensure that the classification scheme balances the business needs for information and the security requirements for each category of information.

Ownership of Annex A 5.12

While it is essential to establish a classification scheme for information assets throughout the entire organisation, it is ultimately the responsibility of the asset owners to ensure that it is implemented correctly.

By ISO 27001:2022 Annex A 5.12, those with pertinent information assets must be held accountable. For instance, the accounting department should classify information based on the organisation-wide classification scheme when accessing folders containing payroll reports and bank statements.

When classifying information, it is crucial for asset owners to consider the business needs and the potential impact that a compromise of information could have on the organisation. Additionally, they should account for the information’s importance and sensitivity levels.

Jump to Topic
Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

General Guidance on ISO 27001:2022 Annex A 5.12

To successfully implement a robust information classification scheme, organisations ought to take a topical approach, consider each business unit’s specific information needs, and evaluate the level of sensitivity and criticality of the information.

As per Annex A Control 5.12, organisations must evaluate the following seven criteria when implementing a classification scheme:

Establish a Topic-Specific Policy and Address Specific Business Needs

Annex A Control 5.12 of the information security management system refers to Annex A Control 5.1, which pertains to access control. It mandates that organisations adhere to topic-specific policies stipulated in Annex A Control 5.1. Additionally, the classification scheme and levels should consider specific business needs when classifying information assets.

Organisations need to consider their business needs for sharing and using information, as well as the need for the availability of such information. However, classifying an information asset may disrupt critical business functions by restricting access to and use of information.

Therefore, organisations should balance their specific business needs for the availability and use of data and the requirement for maintaining the confidentiality and integrity of that information.

Consider Legal Obligations

Specific laws may require organisations to emphasise safeguarding the confidentiality, integrity, and availability of information. Therefore, legal obligations should be prioritised over the organisation’s internal classification when categorising information assets.

Adopting a risk-based approach and assessing the potential impact of a security breach or compromise on information assets is advisable. This will help prioritise and implement appropriate security measures to mitigate the identified risks.

Every form of information holds a unique significance level to an organisation’s functions and possesses varying degrees of sensitivity depending on the particular circumstances.

When an organisation implements an information classification scheme, it should consider the potential impact that compromising the information’s confidentiality, integrity, or availability could have on the organisation.

For instance, the sensitivity and potential impact of a database containing professional email addresses of qualified leads would be vastly different from that of employees’ health records. Therefore, the organisation should carefully consider the level of protection that each category of information requires and allocate resources accordingly.

Regularly Updating and Reviewing the Classification

Annex A Control 5.12 recognises that information’s value, importance, and level of sensitivity can change over time as the data goes through its life cycle. As a result, organisations need to regularly review their classification of information and make any necessary updates.

ISO 27001 Annex A Control 5.12 pertains to reducing the value and sensitivity of the information to a significant extent.

It is essential to consult with other organisations with you to share information and resolve any disparities.

Each Organisation May Have Distinct Terminology, Levels, and Standards for Their Information Classification Systems

Divergences in information classification between organisations can lead to potential risks when exchanging information assets.

Organisations must collaborate with their counterparts to establish a consensus to ensure uniformity in information classification and consistent interpretation of classification levels to mitigate such risks.

Organisational-Level Consistency

Every department within an organisation must have a shared comprehension of classification levels and protocols to ensure uniformity in classifications across the entire organisation.

Guidance on How to Implement the Classification of Information Scheme

While Annex A 5.12 acknowledges that there is no universally applicable classification system and organisations have the flexibility to establish and define their classification levels, it illustrates an information classification scheme:

  • Disclosure causes no harm.

  • Disclosure causes minor reputational damage or minor operational impact.

  • Disclosure has a significant short-term impact on operations or business objectives.

  • Disclosure seriously impacts long-term business objectives or risks the organisation’s survival.

Changes and Differences From ISO 27002:2013

Annex A 8.2.1 in the previous version dealt with the Classification of Information.

While the two versions are quite similar, there are two main differences:

  1. Firstly, the previous version did not mention the need for consistency in classification levels when information is shared between organisations. However, ISO 27001:2022 mandates that organisations collaborate with their counterparts to ensure uniformity in information classification and understanding.

  2. Secondly, the updated version explicitly requires organisations to develop policies tailored to specific topics. Only a brief reference to access control was made in the older version.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2		Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1		Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2		Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3		Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3		Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2		Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3		Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6		Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2		Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3		Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5		Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3		Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3		Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6		Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
 Annex A 11.2.5		Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8		User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3		Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3		Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2		Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2		Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3		Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9		Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6		Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4		Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How ISMS.online Help

Our platform is designed to be user-friendly and straightforward, catering to highly technical individuals and all staff members in your organisation.

We advocate involving employees at all levels of the business in constructing your ISMS as it aids in establishing a sustainable system.

Find out more by booking a demo.

I’ve done ISO 27001 the hard way so I really value how much time it saved us in achieving ISO 27001 certification.

Carl Vaughan
Infosec Lead, MetCloud

Book your demo

100% ISO 27001 success

Your simple, practical, time-saving path to first-time ISO 27001 compliance or certification

Book your demo
Assured Results Method

ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more