Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Information classification and labeling

  Quote
Guest
Lajvar Created:   Feb 26, 2021 Last commented:   Mar 02, 2021

Information classification and labeling

I have asked for documentation to review if they have the correct label of confidential or restricted, the documentation sent did not have any labeling and I put an observation there, but the audited answered me this:

"Information requested for audit is defined as confidential by principles and definition. it can't be used to mark as evidence related to information classification and labeling.  The correct evidence is if the auditor find evidence of restricted and confidential information is shared between the scope without correct labeling."

Is this correct? I took it as a non conformity because the record and reports did not have the apropriate labeling.

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 02, 2021

For this answer, I’m assuming that control A.8.2.2 - Labelling of information, is considered applicable in the Auditee’s Statement of Applicability.

Considering that, please note that this situation needs to be considered in the context of the auditee’s procedures for labeling of information (ISO 27001 Annex A control A.8.2.2 - Labelling of information – requires procedures for information labeling to be developed and implemented).

In case there is a documented procedure for information labeling (the control does not require related procedures to be documented), you need to check what this document defines regarding labeling of information requested for audit. If there is no documented procedure, you need to check additional evidence to understand the common practice (e.g., by interviewing other people to see if they share the same understanding regarding the labeling of information requested for audit).

From this evaluation, you can decide if this situation is a common practice or if there is a failure to fulfill an expected behavior (i.e., a nonconformity).

This article will provide you a further explanation about information labeling:

These materials will also help you regarding information labeling:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 26, 2021

Mar 02, 2021