Guest user Created: Jun 17, 2022 Last commented: Jun 17, 2022

Control A.8.2 Information Classification

As a small business, we are inclined not to implement the following Annex A control Information classification as after the risk assessment, management has taken a decision to accept the risk however, we are also told this is a critical control that some auditors don’t like when that is not implemented therefore as an alternative on that control, we can have all our documents classified as internal and in case we need to provide sensitive information to external parties for example, then we will have a process of approvals and change the classification based on the document complexity?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Jun 17, 2022

Provided management has accepted the risks that would require implementation of control A.8.2.1 Classification of information, and there is no legal requirement (e.g., law, regulation, or contract) demanding this control to be implemented, this fulfills the standard’s requirements and is ok for certification purposes (the fact that the auditor “likes” this or not is irrelevant).

In case you decide to implement the control, the way you propose is acceptable for certification purposes (i.e., a single classification for all information and a reclassification process for information to be sent to external parties).

For further information, see:

Implementation of security controls https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jun 17, 2022

Expert Advice Community