Assign topic to the user
Please note that ISO 27001 specifies that the CIA is related to risks (6.1.2 c 1), and to consequences (6.1.2 d 1), not to assets, and that for information classification, the asset value is defined in terms of legal requirements, value, criticality, and sensitivity to compromise due to realized risks, not by the CIA.
Considering that, the reason why we do not have such mapping is that it is not prescribed by the standard, and it only complicates the things (like risk assessment and information classification), because different levels of CIA can be associate to the same classification level and vice-versa.
Regarding mapping, what you can do is use in the Information Classification Policy the impact value for the asset, identified in the risk assessment, as the basis for the classification.
To see how an Information Classification Policy compliant with ISO 27001 looks like, please access the template demo in this link: https://advisera.com/27001academy/documentation/information-classification-policy/
This article can be interesting for you
-Information classification according to ISO 27001 : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
Comment as guest or Sign in
Sep 21, 2020