Information classification

Answer: ISO 27001 does not prescribe which categories to implement, so organizations are free to define the ones that best suit their needs, and these can either be based on legal requirements the organization must comply with (e.g., laws or regulations which define or recommend lists of categories), based on a framework developed by the organization itself, or based on market best practices.

2 . Are there any other categories we can put the information into?

Answer: Other examples you can find are:
- Secret and Top secret
- Unclassified
- non sensitive

For further information, see:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

3. How do we really choose which categories we would put out information into

Answer: Information is classified according its value to the organization, and the impact to the organization if the information is compromised, and these are some criteria you can use to valuate it:
- cost to replace the information
- cost to acquire the information
- loss of market share
- loss of competitive advantage