Information classification

1. How to clearly differentiate the cases in which i label the information as vital, working standard, restricted, group restricted, confidential, strictly confidential.

Answer: First of all, regarding your initial comment, you may be confusing the terms classification and labelling.

For information security, information classification means the identification of the value of the information to the organization, and this is generally done based on the results of the risk assessment: the higher the consequences of unauthorized access or disclosure of the information, the higher the classification should be.

On the other hand, information labelling refers to how the people who manipulate the information can quickly identify their classification and thus handle it correctly. For labelling, you can simply include in the label the classification level defined for the information (e.g., include in the header the words "vital", "confidential", etc .), or ,if you do not want identification to be so obvious, you can use a code that only internal personnel will be familiar with (for example, a colour code or number identification).

2. Who is Information Owner? The Head of the department who handles the information flow or the information creator (so the one who writes the document) ?

Answer: If the information is handled by few people or in a centralized way the head of the department would be a better choice to be the information owner, because he is in a better position to ensure the information is protected. On the other hand, if the information is handled by many people or in an decentralized way, the information creator, or the person handling the information, would be a better choice to be the information owner.

These articles will provide you further explanation about information classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

These materials will also help you regarding information classification:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/