Information classification and Labeling
1 - As part of the ISO 27001 Certification Audit, when we classify the information in the Company, do we have to classify the info just related to ISMS(for example Advisera Toolkit Docs) or all projects related info’s?
2 - And does each and every Information Processing Asset (Laptop, Server, Printer) of the Organization needs to be labeled? If yes, can you suggest the way of labeling?
Assign topic to the user
1 - As part of the ISO 27001 Certification Audit, when we classify the information in the Company, do we have to classify the info just related to ISMS(for example Advisera Toolkit Docs) or all projects related info’s?
ISO 27001 does not prescribe which information to classify, so you can choose what you want to classify - this can be only the ISMS documentation, all documentation, or any other combination.
For further information, see:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
2 - And does each and every Information Processing Asset (Laptop, Server, Printer) of the Organization needs to be labeled? If yes, can you suggest the way of labeling?
ISO 27001 does not prescribe which assets must be labeled, so organizations can label then as they see fit.
For laptops and servers, a good way of labeling is by including classification labels in the operational system's login screen, and in every information system screen accessed through that asset.
In the case of printers, it makes more sense to label the documents they print. In case they are used only to print sensitive information, a better approach would be to install the printer in a local with controlled access (e.g., a restricted room).
Comment as guest or Sign in
Apr 24, 2020