Data Classification ISO 27001
ISO 27001 – Meeting the Information Classification Requirements
In this article, I’ll focus more directly on the areas of document classification, and how TITUS products support the ISO 27001 standard for labeling and handling of documents and information.
Firstly, you’ll notice that the ISO27001 standard has a few simple, specific requirements around classification, labeling and handling of documents and messages. However, there are some important concepts you’ll find throughout the standard that imply the use of consistent practices for classification and labeling. So, the motivation for having solid classification and labeling tools comes from more than just the few explicit references to these requirements within the standard.
Let’s examine the sections that have requirements related to classification and labeling.
Explicit and Implicit ISO 27001 Requirements
Section 5.1 – Information Security Policy
The requirement to have information security policies includes the need to have appropriate guidance around identification and valuation of assets. It is through this type of policy that the foundation and mandate for classification of messages and files is defined.
Section 6.2 – External Parties
The requirement to have control over information shared with customers and other external parties implies that any information shared outside the organization is identified as being sharable. If there is no classification system in place, the means for making this assessment by those who are sharing the information are prone to being much less consistent.
Section 7.1 – Asset Management
The requirement to identify owners, classifications and restrictions is an explicit provision of the standard. This relates to the planning, preparation and creation of metadata whenever files, messages or other data are created.
Section 7.2 – Information Labeling and Handling
The requirement to define procedures for labeling and handling is also an explicit provision of the standard. This relates to the application of the classifications when handling files, messages or other data after it has been classified, as well as the classification process itself.
Section 10.6 – Network Controls
The requirement to control and protect the network from threats implies that sensitive data must be prevented from being accessed or moved outside the protection of the network. It is much easier to affect these principles through automated safeguards when the data is classified and labeled.
Section 10.7 – Media Handling and Disposal
The requirement to dispose of media securely and safely implies that all media must be identified with metadata about its owner, creation date and retention requirements. In addition, this section addresses proper handling to avoid unauthorized disclosure or misuse. Again, this is much easier to manage when media and information that is appropriately classified, categorized and labeled.
Section 10.8 – Information Exchange and Messaging Policies and Procedures
The requirement to provide formal policies and controls for communication exchanges is another explicit provision of the standard that governs information transfers based on its sensitivity and characteristics that can be identified and applied through classification and labeling. The complexity of messaging systems justifies an increased level of detail around message classification, categorization and labeling.
Section 15 – Compliance
The requirement to be able to demonstrate compliance implies that evidence can be produced that shows how policies have been followed and enforced, for example, during an audit or investigation. This is a much simpler process to complete successfully when all forms of information assets have been properly classified, categorized and labeled.
Complete ISO 27001 Coverage Through Titus Solutions
As an organization progresses through the process of implementing the ISO 27001 standard, it will become evident that nearly every aspect of compliance will become easier if automated tools can be used to create evidence and enforce compliance. TITUS Document Classification (TDC) provides flexibility and ease of use for every user who creates business documents. In addition, TITUS Message Classification (TMC) also provides powerful capabilities in defining and managing the metadata required to control information exchanges.