Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

Confidentiality levels

  Quote
Guest
Guest user Created:   May 09, 2019 Last commented:   May 09, 2019

Confidentiality levels

Are the following confidentiality levels adequate, or would you recommend a different confidentiality level?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Dejan Kosutic May 09, 2019

ISMS Scope Document: Public (As customers might have to know for what you are certified) ?
Information Security Policy: Public
Inventory of Assets: Restricted
Security Procedures for IT Department: Internal
IT Security Policy: Internal
Password Policy: Internal
Access Control Policy: Internal
Mobile Device & Teleworking Policy: Internal
Bring Your Own Device Policy: Internal
Incident management procedure: Internal
Statement of Acceptance of ISMS Documents: Internal
NDA for Suppliers: Restricted
NDA for Employees: Restricted
Security Clauses for Suppliers and Partners: Internal
Information Classification Policy: Internal
Competence (document describing what your profile and responsibilities must be as a potential employee): Public
Internal Audit Report: Internal
Internal Audit Checklist: Internal
Training and Awareness Plan: Internal
Results of access rights review: Internal
Results of the management review / Management Review Minutes: Restricted
Incident Log: Internal
Measurement Report: Internal
Records of monitoring and reviewing suppliers and partners: Internal
Erasure & destruction records: Internal
Records of testing backup copies: Internal
List of Legal, Regulatory, Contractual and Other Requirements: Internal
Corrective Action Form: Restricted

Answer:

The confidentiality level of particular document is directly related to the potential damage if such document leaks to the unauthorized persons. Therefore, I cannot provide you a concrete feedback because I do not know what your risk assessment results are.

For example, if NDA for suppliers contains no sensitive information then it could be classified as Public, but if it contains highly sensitive information then it should be classified as Restricted.

See also this article: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 09, 2019

May 09, 2019

Suggested Topics