Classification of information

 1 - What are the types of data that need to be classified?

Answer: For ISO 27001 certification purposes, the type of information to be classified will depend on the information the organization wants to protect, which is defined in the scope of the Information Security Management System (ISMS).

For example, if the ISMS scope is a software development process, developed code is one example of information type that must be classified. If the scope includes the Sales department, customer information also must be classified. Please note that information must be classified regardless if it is in electronic, physical, or any other format.

For further information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

2 - Does each and every physical asset, document, data need to be classified?

Answer: In your Classification Policy you can decide which assets need to be classified, but in general only information assets are classified.

 By information asset, you can understand where information is stored (e.g., a paper report in a cabinet, as an electronic data in a database, as a file in a server or pendrive, etc.), where it is processed (e.g., a payment system), or where it flows (e.g., network equipment).

For further information, see:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/