Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Classification policy

  Quote
KevinC Created:   Mar 18, 2020 Last commented:   Mar 19, 2020

Classification policy

In the policy:

Steps and responsibilities for information management are the following: 

Step name
1. Entering the information asset in the Inventory of Assets 
2. Classification of information
3. Information labeling
4. Information handling

If classified information is received from outside the organization, [role] is responsible for its classification in accordance with the rules prescribed in this Policy, and this person becomes the owner of such an information asset.

We receive data files very often, are we required to enter each and every one of them into the inventory of assets? That sounds onerous from our perspective, and that inventory would be extremely long and a burden to keep up to date. Is it permissible to instead include a description of the data/file type that we receive ?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 19, 2020

ISO 27001 does not prescribe how to built the inventory of assets, so organizations are free to build them the best way to fulfill their needs. In cases like this, you can group files per type (i.e., files that share similar risks), and include only the type as an asset the inventory of assets. For example, you can have an asset called "customer contracts", and others like "project specifications".

This article will provide you further explanation about inventory of assets:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 18, 2020

Mar 19, 2020