Information Classification Questions

Answer: ISO 27001 doesn't specify who should it be, so you can do whatever you feel is appropriate for your company. Very often this job is really done by person in charge of security.

2. Does it make a difference that my asset inventory is also my risk assessment table? Is there any additional information that I should include? e.g. a column for classification level, labelling requirement, handling information.

Answer: ISO 27001 allows you to use one sheet for both risk assessment and asset inventory - this is very often done in smaller companies. ISO 27001 requires you only to include asset owner in this sheet, but you can add other information if you feel this is necessary for you.

3. If a new asset needs to be entered to the inventory would you immediately perform a risk assessment on that asset to ensure appropriate controls are put in place?

Answer: If this is an importan t asset (i.e. if that asset that can significantly influence the confidentiality, integrity and availability of your information), then the answer is yes; if the asset is not important then the risk assessment will be done during the first risk review.

4. How should a list of authorised persons be structured and where should it be stored? Should there be separate list for each asset that requires one?

Answer: You should use list of authorized persons only for highly confidential information, not for all classified information that you handle. For example, if you have a document that specifies your company strategy to acquire a competitor, such document will have one list of authorized persons who can access it; if your company has admin passwords printed out and stored in a safe, then you will have a different list of persons for this particular document. The best thing is if this list is attached to the document itself.

5. Do you have to include labelling for information systems, databases, applications etc? In some cases this may not be practical.

Answer: You should include labeling, but in case of information systems, databases, applications, etc. this could be displayed only on the login screen.

6. Further to question 4 would you have to put a label on every USB stick in use? And would labelling be required for PC's and laptops?

Answer: You could define a rule where this labeling is required only if these media contain highly confidential information; if you have less confidential information then you can define a rule where those media are not labeled at all - you can simply say that it is assumed all the assets contain the information which is classified with lowest level of confidentiality.