Information labeling
I'm contacting you to ask you some questions in A.8.2 information classification.
1. Is the classification of information based on confidentiality and integrity?
2. What's the purpose of information labeling? Is that just for informing internal employees?
3. Is it necessary to label all physical and electronic information?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Here are the answers:
1. Is the classification of information based on confidentiality and integrity?
ISO 27001 control A.8.2.1 allows you to classify information according to legal requirements,
value, criticality and sensitivity - therefore, you are not limited to confidentiality and integrity. However, in most cases, companies classify information based on confidentiality.
See also this article: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
2. What's the purpose of information labeling? Is that just for informing internal employees?
The purpose is to inform anyone who gets in contact with classified information about the level of classification. Without the users knowing what the level of classification is, the classification itself wouldn't make sense.
3. Is it necessary to label all physical and electronic information?
You can declare the control A.8.2.2 Labelling of information as inapplicable if there are no related risks nor legal or contractual requirements.
Even if you declare this control as applicable, you can define the level of classification for particular type of information (e.g. applications) through a policy, so that labelling of such information is not needed.
Comment as guest or Sign in
Dec 26, 2019