Expert Advice Community

Guest

SoA classification level

  Quote
Guest
Guest user Created:   Jul 26, 2019 Last commented:   Jul 26, 2019

SoA classification level

What level of confidentiality is normally chosen for the Statement of Applicability? Internal use? Restricted? I guess only these two are relevant?!
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 26, 2019

Answer:
Because SoA has many information about how the organization approaches information security, it is a sensitive document and access to it should be restricted to personnel that requires it to perform their activities (e.g., top and middle management, and the security officer) and in most cases this does not cover all employees. Considering that, in most classification frameworks the lowest level which has this kind of restriction is the "Restricted" level, but you have to check your own framework to confirm that. You should avoid to use the highest classification level you have because in most scenarios the highest classification level will demand controls that will be too much to protect in the SoA.

For further information see: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 25, 2019

Jul 25, 2019

Suggested Topics