Confidentiality Level & the ISO 27001 Standard

1 - Should all documents have a confidentiality level?

First is important to note that defining confidentiality level for documents is necessary only if control A.5.12 Classification of information is identified as applicable in the Statement of Applicability.

Considering that, only documents with information considered relevant to the Information Security Management System scope must have a confidentiality level.

For example, in case financial information is not included in the ISMS scope, then documents with financial information do not need to have a confidentiality level.

This article will provide you with a further explanation of information classification:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

2 - Also in the standard Annex A there is a table of 'A' numbers, example A.12.1.3 how do I link these to the clauses in the standard? Example 9 Performance evaluation?

Please note that there is no connection between individual clauses to particular controls.

This is so because the purpose of the main part of the standard (clauses 4 to 10) is to manage security (e.g., risk management, internal audit, etc.), whereas the purpose of Annex A is to decrease risks with controls. 

For further information, see:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/