What is ISO 27001 Annex A 5.12 in ISO 27001?
ISO 27001 Annex A 5.12 is a documented process for categorising information based on its security needs. It requires organisations to implement a classification scheme integrated into internal document management systems. This ensures that protection levels are proportionate to data sensitivity. Proper implementation relies on clear definitions within your existing organisational tools.
Auditor’s Eye: The Shortcut Trap
Many organisations rely on automated SaaS “tagging” tools to satisfy this control. These platforms often apply generic labels without business context. Auditors find this problematic. If an employee cannot explain why a document is “Confidential,” the system has failed. We prefer seeing classification logic within your native SharePoint or Confluence environments. Demonstrating that staff manually select levels based on an internal matrix proves real understanding. Automated “green ticks” in a compliance portal do not reflect a secure culture. Human oversight in your primary DBMS provides the only credible evidence of compliance.
Transition Table (2013 vs 2022)
| ISO 27001:2013 Reference | ISO 27001:2022 Reference | Key Changes |
|---|---|---|
| A.8.2.1 Classification of Information | 5.12 Classification of Information | The control remains largely identical. It focuses on value: sensitivity: and criticality. |
How to Implement ISO 27001 Annex A 5.12 (Step-by-Step)
Classification must be a lived process within your document management system. Lead with your classification matrix. This first step ensures all employees use a unified language for data sensitivity. Avoid external software that isolates this decision-making process.
- Define the Scheme: Create a table in Confluence outlining your classification levels. Include clear examples for each.
- Assign Owners: Identify who owns specific data sets in your Jira asset register. They decide the classification level.
- Configure SharePoint: Apply sensitivity labels or folder structures that mirror your levels. Use native Microsoft 365 features.
- Train Staff: Conduct sessions explaining the “Why” behind each level. Use real internal documents as training examples.
- Review and Audit: Perform manual spot checks on document classifications. Document these reviews in meeting minutes.
ISO 27001 Annex A 5.12 Audit Evidence Checklist
Focus on records that prove human intent. Automated dashboard summaries are insufficient for a lead auditor. We want to see how your team manages information daily.
- Classification matrix stored in your internal document repository.
- Asset register entries with assigned classification levels.
- Version history of classification policies showing regular reviews.
- Email records of asset owners confirming classification decisions.
- Manual audit reports checking for correctly classified documents.
Relational Mapping
Annex A 5.12 is the foundation for several other controls. It feeds directly into Clause 5.13 (Labelling of Information). It also dictates the access levels required in Clause 8.3 (Information Access Restriction). Without classification: Clause 5.9 (Inventory of Information) lacks the necessary metadata for effective risk management.
Auditor Interview
Auditor: How do you decide if a new project document is “Confidential”?
User: We check the classification matrix on our Confluence security page.
Auditor: Where is the record of this decision kept?
User: The classification is noted in our SharePoint metadata and the project asset register.
Auditor: How do you ensure everyone follows these rules?
User: We conduct quarterly internal reviews of our document libraries to verify labels.
Common Non-Conformities
| Failure Mode | Auditor Note |
|---|---|
| Automated Complacency | Relying on a tool’s “AI classification” without manual verification or staff training. |
| Over-classification | Marking everything as “Confidential” makes the scheme ignored by staff. |
| Missing Asset Links | Failing to record the classification level in the central asset register. |
Frequently Asked Questions
What is the primary goal of Annex A 5.12?
The primary goal is ensuring information receives appropriate protection based on its value and sensitivity. Organisations must define a classification scheme. This scheme dictates how data is handled throughout its lifecycle. It prevents over-protection of low-value data and under-protection of sensitive assets.
How many classification levels are required?
ISO 27001 does not mandate a specific number of levels. Most organisations use three or four levels for simplicity. Common tiers include Public, Internal, and Confidential. The scheme must be easy for employees to understand and apply during daily operations.
Who is responsible for classifying information?
The information asset owner is responsible for classifying their data. They understand the context and sensitivity of the information. Users must then follow the handling rules associated with that classification. Auditors look for evidence that owners have actively assigned these levels.