Professional Documents
Culture Documents
Information Classification Policy
Information Classification Policy
INFORMATION CLASSIFICATION
POLICY
Version 1.0
Document type Policy
Document owner
Document location
Effective from
Status
Approved by
Classification
[organization‘s logo]
APPROVAL HISTORY
VERSION DATE APPROVED BY DEPARTMENT
1.0
REVISION HISTORY
VERSION DATE CREATED BY DESCRIPTION OF CHANGES
1.0 01.01.2023 Aron Lange Initial release
Table of Contents
1 PURPOSE..............................................................................................................................3
2 SCOPE...................................................................................................................................3
3 TERMS AND DEFINITIONS.....................................................................................................3
4 RELATED DOCUMENTS..........................................................................................................3
5 POLICY..................................................................................................................................3
5.1 Responsibilities.................................................................................................................3
5.2 Information classification scheme....................................................................................4
5.3 Communication................................................................................................................5
6 COMPLIANCE........................................................................................................................5
6.1 Measurement...................................................................................................................5
6.2 Exceptions.........................................................................................................................5
6.3 Violations..........................................................................................................................5
2
[Classification]
[organization‘s logo]
1 PURPOSE
The purpose of this policy is to define the rules and guidelines for classifying information
according to its sensitivity and criticality for information security.
2 SCOPE
This policy applies to all information assets that are owned, used, or managed by the
organization, regardless of their format, location, or medium. This policy also applies to all
employees, contractors, consultants, and other parties who have access to the organization's
information assets.
4 RELATED DOCUMENTS
The following documents are related to this policy:
5 POLICY
5.1 Responsibilities
5.1.1. Information user: responsible for accessing and using the information asset in
accordance with the information classification level and the information handling
policy, and for reporting any breach or incident involving the information asset to the
information (asset) owner.
5.1.2. Information (Asset) Owner: Responsible for classifying, reviewing, and updating the
information asset, and for approving the access and use of the information asset by the
information user.
3
[Classification]
[organization‘s logo]
The organization shall Classify all information assets according to their sensitivity and criticality
for information security, using the following classification levels:
Public: Information that can be freely disclosed or shared with anyone, without any restrictions
or consequences. Disclosure of public information would cause no harm to the organization.
Examples
The organization's website, social media, and press releases
The organization's annual reports, financial statements, and sustainability reports
The organization's products, services, and customer testimonials
Internal: Information that can be disclosed or shared within the organization, but not with
external parties, without authorization or approval. Disclosure of internal information would
cause minor reputational damage or minor operational impact.
Examples
- The organization's policies, procedures, and guidelines
- The organization's employee directory, newsletter, and intranet
- The organization's performance reviews, training records, and feedback surveys
Confidential: Information that can be disclosed or shared only with specific individuals or
groups, who have a legitimate need to know, and who are bound by confidentiality agreements
or obligations. Disclosure would have a significant short-term impact on operations or business
objectives
Examples
- The organization's business plans, strategies, and budgets
- The organization's contracts, agreements, and proposals
- The organization's customer data, personal data, and intellectual property
Secret: Information that can be disclosed or shared only with the highest level of authorization
or approval, and only with the minimum number of individuals or groups, who have a critical
need to know, and who are bound by the strictest confidentiality agreements or obligations.
Disclosure of secret information would have a serious impact on long term business objectives
or put the survival of the organization at risk.
Examples
- The organization's mergers, acquisitions, and divestitures
- The organization's security incidents, breaches, and investigations
4
[Classification]
[organization‘s logo]
- The organization's trade secrets, research and development, and innovation projects
5.3 Communication
5.3.1. The information classification policy shall be communicated to all persons within the
scope of the ISMS by [describe when and how to communicate or reference to a
communications plan].
5.3.2. This policy may (not) be shared and communicated with interested parties.
6 COMPLIANCE
The organization shall ensure the compliance and effectiveness of the information classification
policy and its implementation, and handle any exceptions, deviations, or violations accordingly.
6.1 Measurement
The organization shall measure the compliance and effectiveness of the information
classification policy and its implementation, using the following methods:
Periodic audits and reviews of the information assets and their classification levels and
labels
Periodic surveys and feedback from the information owners, users, and custodians
Periodic reports and statistics on the information security incidents and breaches
involving the information assets
6.2 Exceptions
The organization shall handle any exceptions or deviations from the information classification
policy and its implementation, using the following procedures:
[role] shall document and justify the exception or deviation, and obtain the approval
from the senior management or the information security committee
[role] shall communicate and implement the exception or deviation, and monitor and
evaluate its impact and outcome
[role] shall review and update the exception or deviation, and report any issues or
incidents to the senior management or the information security committee
6.3 Violations
Members of the organization found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.
5
[Classification]