Information and Classification Policy

Yes, ISO 27001 allows you to use any classification levels you find appropriate.

Example - client confidential covers Client data contained or created using our application software or custom reports created with database tools, Email communications with clients, etc. Is this kind of classification acceptable?

Answer: You should not prescribe the classification levels for particular information in advance - asset owners should decide on classification levels once they assess the confidentiality of particular information in question.

It would be a bit of a complication to label some of the information, so is it acceptable to prescribe that they are not labeled? Just to believe that awareness would be enough?

Answer: Theoretically this is possible, but it is not really recommendable. The problem is the following: if you prescribe that all the information is classi fied if unlabeled, then you are always in danger that someone did not know for this rule.

Should we classify information by the most important one from the group - for the most of the contracts with clients there is the same level of confidentiality, but there is always a couple of them which are super, top level confidential. Should we, because of this, classify all the contracts as top level confidential?

Answer: Probably the best approach in this situation is to classify different contracts with different level of confidentiality.

By the way, this article will help you: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/