5.12 Classification of information

Information should be classified according to the organisation's information security needs based on confidentiality, integrity, availability, and relevant interested party requirements.

Information classification is a crucial practice within an organisation. The notion behind information classification is to help the organisation identify the proper access to the relevant information at the required time.

Information classification can be daunting practice. Most organisations struggle to understand the required level of access to employees within the organisation, as well as other interested parties out of the organisation. Keeping the right balance is a critical aspect of information classification. Too much secrecy violates the rules of availability, while unnecessary or excessive openness might compromise the confidentiality and integrity of information. Therefore, organisation needs to manage information classification using a good process. It is beneficial for the organisation to draft an Access Control policy that defines classification levels, people responsible for handling sensitive information, etc. A comprehensive and well-written Access Control Policy helps an organisation to reduce the risk of sensitive information disclosure to a great extent.