Information classification template
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
"Step name: Entering the information asset in the Inventory of Assets
Responsibility: Chief Information Security Officer"
Further down in the document there is mention of “3.2.4 Reclassification” where asset owners are to review the confidentiality level of their assets with a certain time interval. Then “3.3 Information labelling” gives instructions on labelling of e.g. electronic documents and electronic mail etc.
All this implies that each and every of such documents should be listed in the Inventory of Assets (IoA).
Our employees produce dozens of e-mails and electronic documents every week. If the CISO has to enter all these documents in the IoA this is a full time job in and organisation with only 15 employees or so!
Can you please give me a practical way of dealing with this problem.
General remark: I keep running in to these kind of issues where I am not able to find any examples or practical solutions in your documentation or Secure and S imple.
Answer: You do not need to identify emails and electronic documents individually in your inventory of assets. You can use a single identification for them (e.g., e-mails and electronic documents) and define only once how all of them will be classified and treated.
Please note that Information Classification Policy is not a mandatory document nor are the A.8.3 classification controls mandatory. In other words, if there are no risks nor specific requirements for implementing those controls, you can exclude them in your Statement of Applicability and in such case you wouldn’t need to perform classification at all.
Regarding doubts you may find when filling templates, included in your toolkit you have access to video tutorials that can help you fill some templates (e.g., risk assessment table), using real data. If the tutorials are not enough to clarify your doubts, you can schedule a meeting with one of our experts so he can help you. To schedule a meeting with one of our experts, please access this link: https://advisera.com/27001academy/consultation/
These articles will help you with information classification and asset register:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Comment as guest or Sign in
Aug 05, 2018