Information classification
Assign topic to the user
ISO 27001 INFORMATION CLASSIFICATION POLICY
Define the classification levels and how to protect the information.
Get it now 
ISO 27001 INFORMATION CLASSIFICATION POLICY
Define the classification levels and how to protect the information.
Get it now
ISO 27001 INFORMATION CLASSIFICATION POLICY
Define the classification levels and how to protect the information.
Get it now
https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
you may use this kind of information classification levels with three confidential levels and one public level:
- Confidential (top confidentiality level)
- Restricted (medium confidentiality level)
- Internal use (lowest level of confidentiality)
- Public (everyone can see the information)
What's the important of avaibility and integrity ?
Answer: The most general used classification parameter is confidentiality, thus the use of levels you mentioned, but you can define levels for availability and integrity also when you identify these aspects that require this kind of classification (e.g. a risk *** essment identified unacceptable risks regarding loss of availability or integrity).
For availability levels you may consider:
- High availability: real-time response required or very short unavailability acceptable (less than a day)
- Medium availability: short unavailability acceptable (up to three days)
- Low availability: some unavailability acceptable (up to one week)
For integrity levels you may consider:
- High integrity level: changes must be performed and approved by different persons
- Medium integrity level: changes must be controlled
- Low integrity level: no integrity controls required
These materials will also help you regarding information classification:
- Information Classification - Who, Why and How https://www.sans.org/reading-room/whitepapers/auditing/information-classification-who-846
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Good morning
thank you for your explanation, and for the information labeling is according the confidentiality?
thanks
The use of information labelling will follow the same approach: you will have to include in it the classification levels applied to availability and integrity, as you would do with confidentiality, so every person that access the document will know by the labelling how to handle an information. For example in a payroll list you may have the following labelling:
- Confidentiality: RESTRICTED
- Integrity: HIGH
- Availability: MEDIUM
Comment as guest or Sign in
Jun 06, 2017