Regarding the Information Classification Policy on infomation labeling, does this need to be applied on historical data as well? eg. stamp "confidential" on all paper documents from 2022 and below
Assign topic to the user
ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT
Document the results of the risk management process.
Get it now 
ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT
Document the results of the risk management process.
Get it now
ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT
Document the results of the risk management process.
Get it now
The need for labeling historical data will depend on the results of risk assessment and applicable legal requirements (e.g., laws, regulations, or contracts).
For example, due to relevant risks or a contract with customers, you may need to keep at least the historical data from two previous years classified, so you need to label them according to the related information classification level.
In most cases we see that companies are not classifying documents and records created before the start of the ISO 27001 project.
For further information, see:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
Comment as guest or Sign in
Mar 15, 2023