- ISO 27001 Control A.5.12 requires the classification of information, A.5.13 requires labeling, and A.7.10 requires the secure handling of storage media.
- Three to four classification levels suffice for most organizations: Public, Internal, Confidential, and optionally Strictly Confidential.
- Each level must be linked to concrete handling rules: What may be sent by email, what must be encrypted, what may be printed?
- Every piece of information needs a responsible person (information owner) who sets the classification and reviews it regularly.
- The policy is only effective if all employees are trained and the classification is practical in daily work.
Why information classification is indispensable
Not all information in your organization has equal protection requirements. The cafeteria menu has a different protection need than the customer list, and the customer list a different one than the administrator passwords. This sounds trivial, but without a formal classification, every employee decides at their own discretion which information is worth protecting and which is not.
The result: one person sends contract details by unencrypted email because they do not consider them particularly sensitive. Another stores credentials in plaintext on a shared drive, assuming only authorized users have access. A third routinely classifies everything as "confidential," causing the label to lose its meaning because it is used inflationally.
A classification policy creates uniform criteria. It defines levels, assigns protective measures to each level, and specifies who performs the classification. This turns individual judgment into a traceable, consistent process.
What the standards require
ISO 27001
ISO 27001 dedicates several controls to information classification:
A.5.12 Classification of Information: Information must be classified according to the requirements for confidentiality, integrity, and availability. The classification scheme must consider business requirements, legal requirements, and the sensitivity of the information.
A.5.13 Labelling of Information: Classified information must be labeled in accordance with the classification scheme. Labeling applies to both physical and digital information.
A.5.10 Acceptable use of information and other associated assets: The use of information must comply with the rules resulting from the classification.
A.7.10 Storage media: Storage media must be managed according to the classification scheme, including transport, disposal, and reuse.
NIS2
NIS2 does not explicitly require a classification scheme, but the requirements for appropriate security measures (Article 21) presuppose that you know what you need to protect and to what degree. Without classification, there is no risk-based steering of protective measures — and that is exactly what NIS2 demands.
Defining classification levels
The first and most important decision: how many levels do you need, and what are they called?
Why less is more
The more levels you define, the harder it becomes for employees to assign the correct one. Five or six levels may sound differentiated on paper but in practice lead to nobody knowing the difference between "restricted" and "confidential," turning classification into a guessing game.
For most SMEs, three levels are sufficient. Those who need to cover more sensitive areas (e.g., personnel files, M&A transactions, research data) add a fourth level.
Recommended scheme
Level 1: Public
Information that may be published without restriction or is already publicly accessible. Its disclosure causes no harm.
Examples: Press releases, published product information, public website content, general contact information.
Level 2: Internal
Information intended for internal use. Its unintended disclosure would be uncomfortable or could cause minor harm but does not endanger business operations.
Examples: Internal process documentation, organizational charts, meeting minutes, general project information, training materials.
Level 3: Confidential
Information whose unauthorized disclosure could cause significant harm to the organization, customers, or business partners. Access only for persons with a legitimate interest (need-to-know).
Examples: Customer data, contract contents, calculations, financial figures before publication, personnel files, technical system documentation, passwords and credentials.
Level 4 (optional): Strictly Confidential
Information whose disclosure would cause severe damage: existential business risks, massive legal consequences, or endangerment of individuals. Access restricted to named individuals.
Examples: M&A documents, unpublished patent applications, emergency keys, crisis management plans, information about ongoing litigation with high amounts in dispute.
Default classification
The policy must specify what applies when no explicit classification has been made. The recommended default level is "Internal." This ensures that unclassified information is not accidentally made public without drowning the organization in work by treating everything as "confidential."
Handling rules per level
Classification levels are only useful when every employee knows what the level means in practice. For this, the policy needs a handling matrix that defines concrete rules for each information type and level.
Example handling matrix
| Aspect | Public | Internal | Confidential | Strictly Confidential |
|---|---|---|---|---|
| Unrestricted | To internal recipients without restriction, external as needed | Only to authorized recipients, encryption recommended | Only encrypted, only to named approved recipients | |
| Cloud storage | Unrestricted | Approved cloud services | Only in approved, encrypted cloud services | Not in cloud services, only on controlled systems |
| Printing | Unrestricted | Pick up personally at printer | Pick up personally at printer, do not leave unattended | Only with approval, printouts numbered, destroy after use |
| Disposal | Normal waste bin | Cross-cut shredder | Cross-cut shredder, media: certified destruction | Cross-cut shredder, media: physical destruction, documented |
| Sharing with third parties | Unrestricted | After review by business department | Only with NDA and approval | Only with NDA, individual approval by executive management |
| Storage on mobile devices | Unrestricted | Device encryption active | Device encryption, MDM required, container | Not on mobile devices |
| Sharing via messenger/chat | Unrestricted | Internal tools | Only via approved, encrypted channels | Not via digital channels, in person or by phone |
This matrix is a guiding framework. Adapt it to the specific circumstances of your organization.
Labeling
Classification is useless if the level is not visible. The policy must define how information is labeled.
Digital documents
- Header/footer: Classification level in the header or footer (e.g., "CONFIDENTIAL"). Document templates should include a field for this.
- File name: Optionally, the level as a prefix in the file name (e.g., "C_Contract_Customer_XY.pdf").
- Metadata: Classification stored in document properties.
- Email: Label in the subject line or as a standardized notice at the beginning of the message.
Physical documents
- Stamp or imprint: On the cover page and on every page (for confidential and strictly confidential documents).
- Color coding: Optional color-coded labeling (e.g., green stamp for "Internal," red stamp for "Confidential").
Systems and databases
- System classification: Systems are classified according to the highest classification level of the data stored within them — the foundation for this is a well-maintained IT asset management.
- Room classification: Server rooms and archives are classified according to the information they contain, and access is regulated accordingly.
Pragmatic approach
The policy should remain realistic. Not every email and every document will be labeled in practice. The policy may specify that labeling is recommended for "Internal," mandatory for "Confidential," and compulsory for "Strictly Confidential." Information at the "Public" level does not require labeling unless the label makes clear that it is intentionally designated for the public.
Roles and responsibilities
Information owner
Every piece of information (or information group) needs a designated responsible person. The information owner is typically the head of the business department that creates or primarily uses the information:
- Personnel data: HR management
- Financial data: Finance/controlling management
- Customer data: Sales management or executive management
- Technical system documentation: IT management
- Contract data: Legal department or executive management
The information owner has the following duties:
- Determining the classification level
- Regular review (at least annually) and adjustment as needed
- Approving access to the information
- Deciding on declassification or destruction
In ISMS Lite, the assignment of information owners to their data assets can be centrally managed, including automatic reminders for the annual classification review.
All employees
Every employee is obligated to observe the classification and comply with the handling rules. Anyone who creates information that does not fall into an existing assignment applies the default value "Internal" and consults the information owner or ISO when uncertain.
ISO
The Information Security Officer maintains the policy, advises on classification, monitors compliance, and conducts spot checks.
Lifecycle of classified information
Information does not retain its classification forever. The policy must cover the entire lifecycle.
Creation and classification
Information is classified at the time of creation or when it enters the organization. The creator performs the initial classification, guided by the defined criteria and the default level.
Use and sharing
During active use, the handling rules of the respective level apply. When sharing with third parties (internal or external), the receiving person must be informed of the classification.
Change of classification
When the sensitivity of information changes (e.g., after publication of an annual report, the level drops from "Confidential" to "Public"), the information owner adjusts the classification. Upgrades may also be triggered by changed legal requirements or new threats.
Archiving
Archived information retains its classification. The archiving environment must meet the protection requirements of the highest classification level it contains.
Destruction
When information is no longer needed and no retention obligations exist, it is destroyed according to the handling rules of its level. The destruction of confidential and strictly confidential information is documented.
Common mistakes and how to avoid them
Over-classification
If everything is "confidential," nothing is confidential. Over-classification causes employees to ignore labeling because it is used inflationally. The policy should emphasize that classification must match the actual protection requirement and that over-classification is just as problematic as under-classification.
Missing handling rules
A policy that defines levels but does not specify what to do in practice leaves employees at a loss. The handling matrix is not an optional appendix but the most practically relevant part of the policy.
Classification as a one-time act
Many organizations classify once and then forget about it. The policy must define a review cycle: at least annual review by the information owners, plus event-driven reviews.
No training
If employees do not know the levels and the handling rules, the policy is ineffective. A structured security awareness program — a short training at introduction and refreshed annually — makes the difference.
Ignored interfaces
The classification policy must be integrated with other policies. The access control policy is based on classification levels. The backup policy defines retention periods by classification. The cryptography policy specifies which encryption applies per level.
Classification in practice: How to start
Introducing a classification policy does not have to begin with a mammoth project. A pragmatic approach in three phases has proven effective.
Phase 1: Lay the foundations. Create the policy, define levels, set up the handling matrix, designate information owners for the most important data assets. In this phase, you classify the obvious cases: customer data is confidential, press releases are public, general process documentation is internal. The result is an approved policy and an initial rough classification of the most important data assets.
Phase 2: Broad implementation. All business departments classify their key data assets. Training takes place. Labeling is introduced. Templates and document formats are adapted. This phase typically takes three to six months, depending on company size.
Phase 3: Deepening and integration. Classification is integrated into technical systems (DLP, access rights, email encryption). Automated controls support manual classification. Annual review is established. Deviations are checked in the internal ISMS audit.
This phased approach prevents the project from overwhelming the organization while still delivering initial results quickly that are presentable in an audit.
Example outline for a classification policy
- Purpose and scope
- Terms and definitions — Information owner, classification level, need-to-know
- Normative references — ISO 27001 A.5.10, A.5.12, A.5.13, A.7.10
- Classification levels — Definition and criteria for each level
- Default classification — What applies when not explicitly classified?
- Handling matrix — Rules per level and information type
- Labeling — Digital and physical
- Roles and responsibilities — Information owner, employees, ISO
- Classification process — Initial classification, change, declassification
- Lifecycle — Creation, use, archiving, destruction
- Training and awareness
- Exceptions and risk acceptance
- Review and update
- Effective date and approval
From policy to living system
Introducing a classification policy is a change project. You are changing how employees handle information. This requires communication, training, and above all, practicality. If the policy unnecessarily complicates daily work, it will be circumvented. If it is understandable and the handling rules fit into existing work processes, it will be embraced.
ISMS Lite maps the complete policy lifecycle: you create the classification policy with AI support, automatically version every change, obtain digital acknowledgment from all employees, and have management approve it with a signature. This makes classification not a paper tiger but a binding part of your ISMS.
Further reading
- Protection needs assessment: Systematically evaluating what needs protecting
- Creating an information security policy: Structure, content, and practice
- Access control policy: Physical and logical
- Creating a cryptography policy: Algorithms, key lengths, and lifecycle
- Policy lifecycle: From creation to retirement