Control A.8.2 Information Classification
Assign topic to the user
Provided management has accepted the risks that would require implementation of control A.8.2.1 Classification of information, and there is no legal requirement (e.g., law, regulation, or contract) demanding this control to be implemented, this fulfills the standard’s requirements and is ok for certification purposes (the fact that the auditor “likes” this or not is irrelevant).
In case you decide to implement the control, the way you propose is acceptable for certification purposes (i.e., a single classification for all information and a reclassification process for information to be sent to external parties).
For further information, see:
- Implementation of security controls https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
Comment as guest or Sign in
Jun 17, 2022