A.8.2.2 Labeling of Information
Thank you for the meeting we had last Friday. As discussed, “A.8.2.2 Labeling of Information“ is not applicable for us while “ and I deactivated the control in SOA. However, in the following steps I see there is the “information Classification Document” which requires a responsible person and also defining the labels in 3.2.2 (Confidentiality levels – see the below table).
I’m wondering if there is a way to remove Labeling in this case or is it enough manually we have put Not Applicable (N/A). Or if we have A.8.2.1 then is mandatory to have A.8.2.2 as well?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Since you stated in the SoA that control A.8.2.2 Labelling of information is not applicable, then it is sufficient for you to include only N/A in the Labeling column (there is no need to exclude the column).
Regarding controls A.8.2.1 Classification of information and A.8.2.2, you can implement only A.8.2.1 without implementing A.8.2.2 (i.e., you can define classification levels without the need to label media that contains it, although this is not common).
For further information, see:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
Comment as guest or Sign in
Oct 12, 2022