Control A.7.2 of the standard specifies that an organization must have a procedure for classifying information that will ensure that its information assets receive an appropriate level of protection. Control A.7.2.1 of the standard provides guidelines on classification, and these are expanded further by clause 7.2.1 of ISO27002. The standard simply requires that classifi- cations should be suited to business needs (including legality, value, sensi- tivity and criticality) both to restrict and to share information, and to the business impacts associated with those needs. It is important to note that sharing is as important an objective of this section as is restricting; it is possible to draw up a set of guidelines that are too restrictive for the business and that are therefore regularly breached. This is not a useful outcome. Organizations (particularly in today’s environment) depend on sharing infor- mation; it is essential that information is classified in such a way that this can
be done consistently and appropriately. Whatever classification scheme is adopted by the organization should be extended to cover the level at which users can access data in the system (read only, write and delete).
Information classification is a key concept in the structuring and devel- opment of an effective ISMS. The classification given to a particular infor- mation asset can determine how it is to be protected, who is to have access to it, what networks it can run on, etc. ‘Confidentiality’ is, after all, one of the three key objectives of an information security management system.
The benefits of adopting a consistent procedure are clear. The organization will:
ᔢ reduce the risk of damage to its reputation, profitability or interests due to loss of sensitive information;
ᔢ reduce the risk of embarrassment or loss of business arising from loss of another organization’s sensitive information;
ᔢ increase confidence in trading and funding partnerships and in the outsourcing of sensitive activities;
ᔢ simplify the exchange of sensitive information with third parties, while ensuring that risks are appropriately managed.
Classified information is marked so that both originator and recipient know how to apply appropriate security to it. The classification is based on the likely impact on the organization if the information is leaked or disclosed to the wrong third-party organizations or people. It does not matter what system the organization adopts, provided it is clear, clearly documented and clearly understood by all staff and everyone who uses it.
The simplest approach is usually one that has only three levels of classifi- cation. The first level might be to identify that information which is so confi- dential that it has to be restricted to the board and specific professional advisers. Information that falls into this category might be marked ‘Confidential’, with the names of the people to whom it is restricted identified on the document. Some organizations also number documents that have this level of classification, so that each person who is sent a copy receives a numbered copy. Usually, all pages of such a document would show the classi- fication in capital letters at least 5 millimetres high and, if it exists, the indi- vidual number. This information should be included in the document header, which should be set to appear on all pages of the document. Examples of confidential information might include information about potential acquisi- tions or corporate strategy, or about key organizational personnel, such as the chief executive. The amount of information that falls into this category should
be carefully limited; the cost and operational inconvenience of protecting it properly is such that the category needs to be restricted to information whose release could significantly damage the organization.
A second level of classification might cover documents that are to be available only to senior or other specified levels of management within the organization. These might be marked ‘Restricted’; the related procedure should specify a level of employee above which anyone can access the document. Examples might include draft statutory accounts, which might be available to everyone in senior management, or implementation plans for corporate restructuring, which senior managers need to work through prior to their being rolled out. These documents are usually not numbered, but the decision to release them (which is, by definition, a decision to release them to everyone in the organization who is entitled to receive information of this level) should not be taken lightly.
The final level of classification might be, simply, ‘Private’, and this should cover everything that has value but that does not need to fall within either of the other categories. Everyone employed by the organization should be entitled to access information with this classification. At the same time as adopting such a system, the organization should make clear how it will treat any internally originated documents that carry classifications (eg ‘Private and confidential’, or ‘Restricted – commercial in confidence’, or any other variations on the theme) other than those described in the procedure. Such incorrectly classified docu- ments could be either automatically destroyed, or automatically reclassified, or automatically treated as having no classification at all; the policy decision should reflect the risk and cultural environment within which the new classifi- cation system is being adopted. The organization also needs to consider how it will appropriately reclassify third-party-sensitive documents that it receives and that it will be responsible for protecting.
It will be important, in deciding which employees will have access to which levels of information, to resolve what is to be done in respect of those employees who have to support senior management but who themselves might fall into a lower classification in terms of information security. An implication of this might be the rather farcical one of people such as personal assistants and secretaries working on or distributing documents or supporting meetings whose content they have to try not to be aware of. Far better, frankly, to allow these people the same level of access to confidential documents as their managers and to take all the necessary steps to ensure that only appropriate persons are recruited into these roles.
ISO27002 also suggests that the ‘effects of aggregation’ should be considered; it is possible for a series of non-confidential items to become
confidential when they are aggregated. For example, individual pages of a set of accounts might not, in themselves, be confidential (because they carry incomplete information) but together they might be valuable and confi- dential. The best way to deal with these types of issues is to apply from the outset the aggregate-level classification to all the component parts of the information asset.