If you have ever felt that information security is mostly about gatekeeping, Annex A 5.12 is here to remind us that it is actually about value. You cannot protect every piece of data with the same level of intensity, it’s simply not practical or cost-effective. This is why we classify information. As we move from the ISO 27001:2013 version to the 2022 update, the way we handle this classification has seen some subtle but important refinements.
Formerly known as Control A.8.2.1, the new Annex A 5.12, “Classification of information,” remains a cornerstone of any Information Security Management System (ISMS). However, the 2022 version pushes organisations to be more intentional and integrated in their approach. Let’s look at what has actually shifted.
Table of contents
The Structural Change: From A.8.2.1 to A.5.12
In the 2013 version of the standard, classification lived in the Asset Management domain. In the 2022 revision, it has been moved to the “Organisational” theme and renumbered as Annex A 5.12. This shift is significant because it moves classification away from being a “technical inventory” task and places it firmly in the realm of business operations.
According to Hightable.io, this reclassification highlights that classification is a prerequisite for almost every other control in the standard. Without knowing the sensitivity of your information, you cannot effectively manage access (5.15-5.18), handle media (7.10), or encrypt data (8.24). It is the “metadata” that makes the rest of your security framework function correctly.
Beyond “Public” and “Private”: A Focus on Business Needs
One of the most notable changes in the 2022 version is the emphasis on ensuring that classification schemes reflect the actual needs of the business. While the 2013 version required a classification scheme, many organisations simply adopted a generic “Public, Internal, Confidential” model without much thought.
The 2022 update encourages a more tailored approach. It asks organisations to consider the legal, regulatory, and contractual requirements specific to their industry. For example, if you handle healthcare data or payment information, your classification levels should explicitly account for the protections required by GDPR, HIPAA, or PCI-DSS. It’s about making the labels meaningful to the people using the data every day.
Integration with the Asset Inventory
In the 2013 version, asset management and classification were often treated as two separate steps. The 2022 version creates a tighter bond between Annex A 5.9 (Inventory of information and other associated assets) and Annex A 5.12.
As Hightable.io points out, you shouldn’t just have a list of laptops and a separate list of data types. The 2022 standard expects you to understand which classified information lives on which assets. If a database is classified as “Secret,” the server hosting it and the backups containing it must automatically inherit the protection requirements associated with that classification.
Simplification and Alignment
The 2022 version of the standard is generally more streamlined. While the 2013 version had separate controls for “Classification” (A.8.2.1), “Labelling” (A.8.2.2), and “Handling” (A.8.2.3), the 2022 version keeps these concepts distinct but ensures they are tightly coupled. Annex A 5.12 focuses specifically on the scheme itself—ensuring that the categories are defined and that the basis for classification is clear.
This clarity helps avoid “classification creep,” where everything becomes “Confidential” because employees are afraid to label it “Internal.” By providing clearer definitions, the 2022 standard helps organisations ensure that resources are focused on protecting the data that truly matters.
Key Implementation Steps for the 2022 Standard
When updating your ISMS for the 2022 version, your approach to Annex A 5.12 should be proactive. Consider the following steps:
- Review Your Scheme: Does your current classification model still fit? If you’ve moved to the cloud or started using AI tools, you may have new types of data that don’t fit into your old 2013-era categories.
- Assign Responsibility: The 2022 standard reinforces that the information owner is responsible for classifying their data. Make sure your staff know that “owner” doesn’t mean the IT department—it means the person who created or manages the data.
- Automate the Process: Modern tools can automatically tag files based on their content. Leveraging this technology makes compliance with Annex A 5.12 much easier than relying on manual labelling.
- Train Your Team: Classification only works if everyone uses the same “dictionary.” Ensure your team understands the difference between your labels and knows the handling rules for each.
The Bottom Line
The transition from ISO 27001:2013 A.8.2.1 to ISO 27001:2022 Annex A 5.12 is a move toward maturity. It isn’t enough to just put a “Confidential” footer on a document. The new standard requires a classification system that is integrated into the heart of the business, supported by clear ownership, and aligned with the actual risks the organisation faces.
By getting Annex A 5.12 right, you aren’t just passing an audit; you are building a roadmap that tells your entire security team exactly where the most important “treasures” are hidden and how high the walls around them need to be.