Labelling information
Quick question on the requirement to classify and label information. Are we expected to do this for all historical documentation as well as documentation moving forward?
Assign topic to the user
ISO 27001 does not prescribe what needs to be done with documentation created prior to the implementation of the Information Security Management System, so organizations are free to decide how to classify and label information.
The organization can simply define that documentation created in the past has a standard classification (e.g., internal), and labeled accordingly, or that it is not classified and labeled at all.
For further information, see:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
Comment as guest or Sign in
Jul 19, 2023