ISO27001:2022 - Annex A 5.12 - What’s changed?

Threats to your organisation’s privacy and security are continuously on the rise, and it's more vital than ever to ensure your organisation implements measures to combat these threats. ISO27001 as a standard lays out the requirements to implement an efficient information security system within your organisation and with the introduction of the 2022 version of the ISO27001 standard, these requirements have been recategorised and further clarified. Annex A 5.12 is Classification of Information.

What is classification of information?

Classification of information means to categorise information based on its sensitivity, value, and the level of protection it requires to remain secure. By doing so, your organisation can implement the correct measures to keep your information safe and maintain compliance with different requirements: legal, regulatory, and policy. The overall purpose of this is to ensure the protection of sensitive data from unauthorised access and disclosure which could harm your organisation or your customers.

Common classifications may include:

• Public: Information that can be freely shared with the general public without risk.
• Internal: Information for your organisation’s internal use. This information may cause minor harm if shared with those who are unauthorised.
• Confidential: Sensitive information where access is restricted to certain personnel. Unauthorised access may cause harm to your organisation or individuals.

Ensuring information is appropriately classified is a common requirement of various laws and regulations, such as GDPR and HIPAA. This is also valuable for the NHS DSP (Data Security and Protection Toolkit), a self-assessment tool that must be completed by any organisation that wishes to access NHS data or systems. Evidence 1.1.4, for example, requires your organisation to identify, document and classify hardware and software assets. The NCSC guidance linked in the evidence document strongly recommends classifying assets to ensure that the correct controls are in place for their security needs.

What is Annex A 5.12?

Annex A 5.12 is all about Classification of Information and expects your organisation to classify your information, record this classification, and implement appropriate measures for asset security based on its classification. This is to ensure that sufficient security controls are put in place for each of your information assets based on their sensitivity and relevance to your organisation.

The purpose of this control is to enhance the security and management of information within your organisation. By understanding the importance of your information assets and potential consequences for any unauthorised access, you can apply tailored security measures to safeguard your data and minimise potential risks that could have severe consequences for your organisation and stakeholders should an incident occur.

To implement this control, it's key that you have identified your information assets in a dedicated register, in line with Annex A 5.9, Inventory of Information and Other Associated Assets. You should assess the classification levels required for your organisation’s needs and regulatory requirements, and detail the specific criteria for each of these in a topic-specific policy. Each asset can then be assessed for what classification it should be assigned; your organisation can then work on implementing the correct security measures for each asset. Finally, you should ensure that employees are trained on your information classification policies and understand how they should be handling the information tied to their job role.

So what’s changed?

ISO27002 is a standard closely aligned to ISO27001, and is essentially guidance on how to effectively implement an ISMS to ISO27001 standards. We can compare the changes in ISO27002 guidelines for each control to concretely ascertain what has changed with the ISO27001 version of the control. In terms of the 2013 standard, this control maps directly to Annex A 8.2.1, Classification of Information.

The new control remains fundamentally the same as its previous iteration. However, there have been two key changes. Firstly, the control now expects a consistency of information classification and its interpretation when transferred between organisations. This now explicitly requires an agreement between the organisations to ensure that information classification and protection measures remain consistent. The second change is that the control now expects your organisation to have topic-specific policies put in place, a common change among the updated ISO27001:2022 controls.

How Harpe can help you implement Annex A 5.12

Our security professionals have developed Harpe, a revolutionary tool to cover all your organisation’s security needs. Harpe is the best tool on the market to make compliance with important standards like Cyber Essentials and ISO27001 quick and hassle-free. Harpe features guidance for implementing ISO27001 to the updated 2022 standard with everything you need. Our in-app checklist takes you through every step to implement a robust and secure ISMS within the new requirements.

Upload your documents and assign them a classification in line with Annex A 5.12 to keep track of how your information should be handled in your organisation.

Train your employees on your Information Classification policy (and others!) with our training page, complete with annual reminders for re-training.

With constant updates and fast support, there has never been a better time to chase an ISO27001:2022 certification with Harpe.

‍

‍_{Image designed by Freepik}