Information Classification Policy - “labeling” of information
I am going through the documentation and have a question regarding the Information Classification Policy.
More precisely regarding “labeling” of information. I would like to stick as close as possible to the default document.
However, as a B2B communication agency almost all information we manage (and that is a lot) can be classified as “Internal use”.
Is it ok to specify that all “(unlabeled)” or “INTERNAL” labeled information is to be considered “internal use”?
So that we can avoid needing to label just about everything with the same label.
Could can an alternative be to use “(unlabled)” for “internal use” and “public” for “public” assets?
Assign topic to the user
ISO 27001 does not prescribe how to define information labeling, so your proposed scheme is acceptable by the standard (i.e., keep “Internal use” information unlabeled, and label public information as public).
These articles will provide you a further explanation about information classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
These materials will also help you regarding information classification:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Jan 13, 2021