ISO 27002, Control 5.12, Classification of Information

ISO 27002:2022 – Control 5.12 – Classification of Information

Classification of information is a process that enables organisations to group information assets into relevant categories depending on the level of protection each category of information should be provided. Control 5.12 deals with implementation of a classification of information scheme based on confidentiality, integrity and availability requirements for information assets.

Purpose of Control 5.12

5.12 is a preventative control that identifies risks by enabling organisations to determine the level of protection for each information asset based on the information’s level of importance and sensitivity.

5.12 explicitly cautions organisations against over- or under-classification of information in the Supplementary Guidance. It states that organisations should take into account the confidentiality, availability and integrity requirements when they assign assets to relevant categories.

This ensures that classification scheme strikes an appropriate balance between business needs for information and the security requirements for each category of information.

Attributes of Control 5.12

Control Type	Information Security Properties	Cybersecurity Concepts	Operational Capabilities	Security Domains
#Preventive	#Confidentiality	#Identify	#Information Protection	#Protection
	#Integrity			#Defence
	#Availability

Ownership of Control 5.12

While there should be an organisation-wide classification of information schemes with classification levels and criteria for how to classify information assets, information asset owners are ultimately responsible for the implementation of a classification scheme.

5.12 explicitly recognizes that owners of the relevant information asset should be accountable.

For example, if the accounting department has access to the folders with payroll reports and bank statements, they should classify information based on the organisation-wide classification scheme.

When classifying information, the asset owner should take into account the business needs, level of impact the compromise of information would have on the organisation and the level of importance and sensitivity of information.

ISMS.online gives you an 81% Headstart from the moment you log on

ISO 27001 made easy

We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.

Get started

General Guidance on Control 5.12

To implement a robust classification of information scheme, organisations should adopt a topic-specific approach, understand each business unit’s needs for information, and determine the level of sensitivity and criticality of information.

5.12 requires organisations to take into account the the following seven criteria when implementing a classification scheme:

Establish a topic-specific policy and address the specific business needs

5.12 explicitly refers to 5.1, Access control and requires organisations to adhere to topic-specific policies as described in the 5.1. In addition, the classification scheme and levels should take specific business needs into account.

Take into account business needs for sharing and use of information and the need for availability

If you assign an information asset to a classification category that is unnecessarily higher, this may bring the risk of disruption to your critical business functions by restricting access to and use of information.

Therefore, you should strive to find a balance between your specific business needs for availability and use of information and the requirements for confidentiality and integrity of that information.

Consider legal obligations

Some laws may impose stricter obligations on you to ensure confidentiality, integrity and availability of information. When assigning information assets to categories, legal obligations should take priority over your own classification.

Take a risk-based approach and consider the potential impact of a compromise

Each type of information has a different level of criticality to each business’s operations and has a different level of sensitivity depending on the context.

In implementing classification of information scheme, organisations should ask:

What impact would the compromise of integrity, availability and confidentiality of this information have on the organisation?

For instance, databases of professional email addresses of qualified leads and health records of employees widely differ in terms of the level of sensitivity and the potential impact.

Regularly review and update the classification

5.12 notes that the value, criticality and sensitivity of information is not static and can change throughout the lifecycle of the information. Therefore, you need to regularly review each classification and make necessary updates.

As an example of such change, the 5.12 refers to the disclosure of information to the public, which greatly reduces the value and sensitivity of information.

Consult with other organisations you share information with and address any differences

There is no one way to classify information and each organisation can have different names, levels and criteria when it comes to classification of information schemes.

These differences may lead to risks when the two organisations exchange information assets with each other. Therefore, you need to put in place an agreement with your counterpart to ensure that there is consistency in classification of information and interpretation of classification levels.

Organisational-level consistency

Each department within the organisation should have a common understanding of classification levels and procedures so that classifications are consistent across the entire organisation.

Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.

Book your demo

Guidance on How to Implement Classification of Information Scheme

While 5.12 recognises that there is no one-size-fits-all classification scheme and organisations have leeway in deciding and describing individual classification levels, it gives the following example as a information classification scheme:

a) Disclosure causes no harm;

b) Disclosure causes minor reputational damage or minor operational impact;

c) Disclosure has a significant short-term impact on operations or business objectives;

d) Disclosure has a serious impact on long term business objectives or puts the survival of the organisation at risk.

Changes and Differences From ISO 27002:2013

The Classification of Information was addressed in section 8.2.1 in the previous version.

While the two version are highly similar, there is two key differences:

In the old version, there was no explicit reference to the requirement for consistency of classification levels when information is transferred between organisations.

In the 2022 version, however, you need to put in place an agreement with your counterpart to ensure that there is consistency in classification of information and interpretation of classification levels.

Secondly, the new version explicitly requires organisations to put in place topic-specific policies. In the older version, in contrast, there was only a brief reference to the access control.

New ISO 27002 Controls

New Controls

ISO/IEC 27002:2022 Control Identifier	ISO/IEC 27002:2013 Control Identifier	Control Name
5.7	NEW	Threat intelligence
5.23	NEW	Information security for use of cloud services
5.30	NEW	ICT readiness for business continuity
7.4	NEW	Physical security monitoring
8.9	NEW	Configuration management
8.10	NEW	Information deletion
8.11	NEW	Data masking
8.12	NEW	Data leakage prevention
8.16	NEW	Monitoring activities
8.23	NEW	Web filtering
8.28	NEW	Secure coding

Organisational Controls

ISO/IEC 27002:2022 Control Identifier	ISO/IEC 27002:2013 Control Identifier	Control Name
5.1	05.1.1, 05.1.2	Policies for information security
5.2	06.1.1	Information security roles and responsibilities
5.3	06.1.2	Segregation of duties
5.4	07.2.1	Management responsibilities
5.5	06.1.3	Contact with authorities
5.6	06.1.4	Contact with special interest groups
5.7	NEW	Threat intelligence
5.8	06.1.5, 14.1.1	Information security in project management
5.9	08.1.1, 08.1.2	Inventory of information and other associated assets
5.10	08.1.3, 08.2.3	Acceptable use of information and other associated assets
5.11	08.1.4	Return of assets
5.12	08.2.1	Classification of information
5.13	08.2.2	Labelling of information
5.14	13.2.1, 13.2.2, 13.2.3	Information transfer
5.15	09.1.1, 09.1.2	Access control
5.16	09.2.1	Identity management
5.17	09.2.4, 09.3.1, 09.4.3	Authentication information
5.18	09.2.2, 09.2.5, 09.2.6	Access rights
5.19	15.1.1	Information security in supplier relationships
5.20	15.1.2	Addressing information security within supplier agreements
5.21	15.1.3	Managing information security in the ICT supply chain
5.22	15.2.1, 15.2.2	Monitoring, review and change management of supplier services
5.23	NEW	Information security for use of cloud services
5.24	16.1.1	Information security incident management planning and preparation
5.25	16.1.4	Assessment and decision on information security events
5.26	16.1.5	Response to information security incidents
5.27	16.1.6	Learning from information security incidents
5.28	16.1.7	Collection of evidence
5.29	17.1.1, 17.1.2, 17.1.3	Information security during disruption
5.30	5.30	ICT readiness for business continuity
5.31	18.1.1, 18.1.5	Legal, statutory, regulatory and contractual requirements
5.32	18.1.2	Intellectual property rights
5.33	18.1.3	Protection of records
5.34	18.1.4	Privacy and protection of PII
5.35	18.2.1	Independent review of information security
5.36	18.2.2, 18.2.3	Compliance with policies, rules and standards for information security
5.37	12.1.1	Documented operating procedures

People Controls

ISO/IEC 27002:2022 Control Identifier	ISO/IEC 27002:2013 Control Identifier	Control Name
6.1	07.1.1	Screening
6.2	07.1.2	Terms and conditions of employment
6.3	07.2.2	Information security awareness, education and training
6.4	07.2.3	Disciplinary process
6.5	07.3.1	Responsibilities after termination or change of employment
6.6	13.2.4	Confidentiality or non-disclosure agreements
6.7	06.2.2	Remote working
6.8	16.1.2, 16.1.3	Information security event reporting

Physical Controls

ISO/IEC 27002:2022 Control Identifier	ISO/IEC 27002:2013 Control Identifier	Control Name
7.1	11.1.1	Physical security perimeters
7.2	11.1.2, 11.1.6	Physical entry
7.3	11.1.3	Securing offices, rooms and facilities
7.4	NEW	Physical security monitoring
7.5	11.1.4	Protecting against physical and environmental threats
7.6	11.1.5	Working in secure areas
7.7	11.2.9	Clear desk and clear screen
7.8	11.2.1	Equipment siting and protection
7.9	11.2.6	Security of assets off-premises
7.10	08.3.1, 08.3.2, 08.3.3, 11.2.5	Storage media
7.11	11.2.2	Supporting utilities
7.12	11.2.3	Cabling security
7.13	11.2.4	Equipment maintenance
7.14	11.2.7	Secure disposal or re-use of equipment

Technological Controls

ISO/IEC 27002:2022 Control Identifier	ISO/IEC 27002:2013 Control Identifier	Control Name
8.1	06.2.1, 11.2.8	User endpoint devices
8.2	09.2.3	Privileged access rights
8.3	09.4.1	Information access restriction
8.4	09.4.5	Access to source code
8.5	09.4.2	Secure authentication
8.6	12.1.3	Capacity management
8.7	12.2.1	Protection against malware
8.8	12.6.1, 18.2.3	Management of technical vulnerabilities
8.9	NEW	Configuration management
8.10	NEW	Information deletion
8.11	NEW	Data masking
8.12	NEW	Data leakage prevention
8.13	12.3.1	Information backup
8.14	17.2.1	Redundancy of information processing facilities
8.15	12.4.1, 12.4.2, 12.4.3	Logging
8.16	NEW	Monitoring activities
8.17	12.4.4	Clock synchronization
8.18	09.4.4	Use of privileged utility programs
8.19	12.5.1, 12.6.2	Installation of software on operational systems
8.20	13.1.1	Networks security
8.21	13.1.2	Security of network services
8.22	13.1.3	Segregation of networks
8.23	NEW	Web filtering
8.24	10.1.1, 10.1.2	Use of cryptography
8.25	14.2.1	Secure development life cycle
8.26	14.1.2, 14.1.3	Application security requirements
8.27	14.2.5	Secure system architecture and engineering principles
8.28	NEW	Secure coding
8.29	14.2.8, 14.2.9	Security testing in development and acceptance
8.30	14.2.7	Outsourced development
8.31	12.1.4, 14.2.6	Separation of development, test and production environments
8.32	12.1.2, 14.2.2, 14.2.3, 14.2.4	Change management
8.33	14.3.1	Test information
8.34	12.7.1	Protection of information systems during audit testing

How ISMS.online Helps

Our platform is intuitive and easy-to-use. It’s not just for highly technical people; it’s for everyone in your organisation. We encourage you to involve staff at all levels of your business in the process of building your ISMS, because that helps you to build a truly sustainable system.

Get in touch today to book a demo.

We’re a Leader in our Field