ISO 27001 Annex A 5.12 Classification Of Information

ISO 27001 Annex A 5.12 Classification Of Information

ISO 27001 Annex A 5.12 is about how a company should classify its information. This means sorting information into groups based on how important and sensitive it is. By doing this, a company can make sure it protects its most important data the right way.


What Is Information Classification?

Information classification is a way to sort different kinds of data. You decide how much security each piece of data needs. The purpose is to know what level of protection is right for each piece of information. The rule says you should classify information based on its confidentiality, integrity, and availability.

How to Follow the Rule

  • Make a plan: First, you should decide how you will classify your information. You can create your own system or use one that is already made. A simple system is often best. For example, you can use three levels like “Confidential,” “Internal,” and “Public.”
  • Find an owner: Each piece of information should have an owner. This person is in charge of deciding how the information should be classified.
  • Put controls in place: Once information is classified, you must use the right security controls to protect it. The controls you choose should match the classification level. For example, highly confidential information needs more security than public information.
  • Keep it fresh: The value of information can change over time. You should check the classification of your information often, at least once a year, to make sure it is still correct.

Frequently Asked Questions

What is an information classification and handling policy?

This is a simple rulebook that explains the different levels of data classification. It also tells you what you can and cannot do with information at each level.

How many levels of data classification should there be?

You can have as many as you need for your business. It is often a good idea to keep it simple, like using “Confidential,” “Internal,” and “Public” levels.

Who is in charge of classifying the data?

The owner of the data is in charge of deciding how it should be classified. They also decide how long the data should be kept and what security is needed.

Is data classification required by law?

Yes, in many cases, data classification is needed for data protection laws, like GDPR.


This video provides an overview of ISO 27001 Annex A 5.12, which explains the steps to implement information classification and how to pass an audit.

ISO 27001 Annex A 5.12 Classification Of Information Explained