ISO 27001 Implementation Guidance: Classification vs Labelling
Updated: Nov 29, 2019
A fundamental building block of most Information Security Management Systems is an information classification, labelling and handling scheme.
A classification scheme is a means of differentiating between information of differing sensitivity, and these will have labels applied to them, common examples are 'confidential', 'sensitive', 'internal', and 'public'. This should then be supplemented by guidance on how information of these differing classifications are to be handled (e.g. sensitive information must be encrypted during transfer).
These three elements are often incorrectly lumped together. Classification of information does not necessarily mean it has to be labelled; that is just one means of highlighting the classification to those handling it. ISO 27001 does not mandate labelling, as this post will explain.
Classification of Information
As stated earlier, a classification scheme will normally be made up of three, four of five categories which information should be assigned.
It is very important that information can be classified. So for example, if you sent me a published brochure, it is low risk should I lode or misplace it, so I would consider this public or unclassified. But, should you send me a large spreadsheet with a full payroll, I should be able to assign this to a different classification – confidential, restricted or similar.
But, while information always should be classified, that does not mean it needs to be labelled.
Labelling of Information
Labels applied to a document can provide the recipient with information as to how sensitive it is. This is especially true of common office documents and spreadsheets. But other information is less easy, emails are difficult to label consistently without software to help, and how would an SQL database, or firewall rulebase be labelled?
In fact, if when applying a label someone chooses an incorrect one, the risk of mis-handling had been increased. Had it not been labelled, employees would need to look at the content more carefully and would perhaps handle it more appropriately.
To label everything also leads to great difficulty in dealing with documentation produced by external parties. If I send a PDF to you with no label, how would you label it? Would you print it out, stamp it with a label and then scan it in again? Or if it does have a classification label, but you would have assigned it a different one. Do you handle it according to my label?
Do ensure that all information can be sensibly and easily classified. But do not immediately assume it must all be labelled. It is not to say that labelling should be ignored completely, but ensure that you only enforce the need for labels where there is a genuine need.