Information classification and labeling
I have asked for documentation to review if they have the correct label of confidential or restricted, the documentation sent did not have any labeling and I put an observation there, but the audited answered me this:
"Information requested for audit is defined as confidential by principles and definition. it can't be used to mark as evidence related to information classification and labeling. The correct evidence is if the auditor find evidence of restricted and confidential information is shared between the scope without correct labeling."
Is this correct? I took it as a non conformity because the record and reports did not have the apropriate labeling.
Assign topic to the user
For this answer, I’m assuming that control A.8.2.2 - Labelling of information, is considered applicable in the Auditee’s Statement of Applicability.
Considering that, please note that this situation needs to be considered in the context of the auditee’s procedures for labeling of information (ISO 27001 Annex A control A.8.2.2 - Labelling of information – requires procedures for information labeling to be developed and implemented).
In case there is a documented procedure for information labeling (the control does not require related procedures to be documented), you need to check what this document defines regarding labeling of information requested for audit. If there is no documented procedure, you need to check additional evidence to understand the common practice (e.g., by interviewing other people to see if they share the same understanding regarding the labeling of information requested for audit).
From this evaluation, you can decide if this situation is a common practice or if there is a failure to fulfill an expected behavior (i.e., a nonconformity).
This article will provide you a further explanation about information labeling:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
These materials will also help you regarding information labeling:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Mar 02, 2021