What does control A.3.5 require?
Information shall be classified according to the information security needs of the organisation, taking into consideration PII, based on confidentiality, integrity, availability and relevant interested party requirements.
This control sits within the shared security controls (Table A.3). It extends the standard ISO 27001 information classification requirement by making it explicit that PII must be considered within the classification scheme, not treated as an afterthought.
What does the implementation guidance say?
Annex B (section B.3.5) provides the following guidance:
- The classification scheme should explicitly consider PII as a category of information requiring protection
- Understand which PII the organisation processes, where it is stored, and which systems it can flow through
- Consider the type of PII and whether it includes special categories (e.g. health data, biometric data, racial or ethnic origin)
- Classification should drive the application of appropriate controls, with higher classifications receiving stronger protection
- The scheme should be practical and consistently applied across the organisation
- See also A.3.20: Storage Media for related requirements
- See also A.3.21: Secure Disposal or Re-Use of Equipment for related requirements
The guidance recognises that PII is not a single, homogeneous category. An email address carries a different risk profile from a medical record. The classification scheme should reflect these differences and drive proportionate protection.
How does this map to GDPR?
Control A.3.5 maps to GDPR Article 5(1)(f) (integrity and confidentiality) and Article 32(2) (requirement to implement appropriate technical and organisational measures for security of processing). The GDPR expects a risk-based approach to security, and classification is the mechanism through which risk levels are assigned to different types of information.
Special categories of personal data under GDPR Article 9 should receive the highest classification level, reflecting the additional protections the regulation requires for this type of data.
How does this relate to ISO 29100 privacy principles?
As a shared security control, A.3.5 supports the broader ISO 29100 framework. Classification is a foundational governance mechanism that enables the consistent application of the information security principle across all types of information, with PII receiving the attention it requires.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
What evidence do auditors expect?
When assessing compliance with A.3.5, auditors will typically look for:
- Classification scheme — A documented classification policy that explicitly includes PII and special categories of PII as classification considerations
- Data inventory — A register of the PII the organisation processes, where it is stored and which systems handle it
- Classification decisions — Evidence that PII-containing assets have been classified according to the scheme (e.g. databases marked as “Confidential” or “Restricted”)
- Control mapping — Evidence that classification levels drive the application of security controls (higher classification = stronger controls)
- Training and awareness — Evidence that personnel understand the classification scheme and how to apply it to PII
What are the related controls?
| Control | Relationship |
|---|---|
| A.3.6 Labelling of information | Once classified, information must be labelled so that the classification is visible and enforceable |
| A.3.3 Policies for information security | The classification scheme should be defined within or referenced by the information security policy |
| A.3.7 Information transfer | Transfer rules should reference classification levels to determine appropriate transfer mechanisms |
| A.3.8 Identity management | Access to higher-classified PII should be restricted through identity and access management controls |
| A.3.4 Roles and responsibilities | Information owners (a defined role) are responsible for classification decisions |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was covered under Clause 6.5.2.1. The substance is unchanged, but the 2025 restructure integrates the control more clearly into the shared security controls framework. The implementation guidance in B.3.5 now more explicitly emphasises understanding data flows and special categories of PII as part of the classification process. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for classifying and protecting PII?
ISMS.online helps you build and maintain a practical information classification scheme:
- Asset register with classification — Record every information asset, assign a classification level, and tag assets that contain PII or special categories of PII
- Data flow mapping — Visualise where PII is stored and how it moves through systems, making it easier to identify assets that need classification attention
- Control linkage — Map classification levels to the security controls that should be applied at each level, ensuring proportionate protection
- Review workflows — Schedule periodic classification reviews and track completion, so classifications stay current as processing activities change
- Awareness tools — Distribute classification guidance to personnel and track acknowledgement, supporting the training evidence auditors expect
FAQs
How should PII fit into an existing classification scheme?
Most organisations use a tiered classification scheme (e.g. Public, Internal, Confidential, Restricted). PII should typically be classified at Confidential or above, with special categories of PII (health, biometric, racial/ethnic data) at the highest level. If your existing scheme does not have a level that captures the sensitivity of PII adequately, consider adding one or updating the descriptions of existing levels to explicitly address PII.
Do we need to classify every individual record?
No. Classification is typically applied at the asset level (e.g. a database, a file share, an application) rather than at the individual record level. The key is to understand which assets contain PII and classify them appropriately. Where a single system holds different types of PII with different sensitivity levels, classify it based on the most sensitive data it contains.
What are special categories of PII?
Under GDPR, special categories include data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for identification, health data, and data concerning sex life or sexual orientation. ISO 27701 uses the broader term “sensitive PII” and leaves the specific categories to applicable legislation. Your classification scheme should identify these types and assign them the highest protection level.
