What is ISO 27001 Information Security Management? ISO 27001 is a specification for an Information Security Management System (ISMS), a framework for policies, procedures, and controls involved in a company's information risk management processes. The framework is published by International Organization for Standards (ISO)
To whom does the ISO 27001 apply? ISO 27001 is a framework for implementing an ISMS and, therefore, usually not a requirement that has to be followed. Some companies require that their vendors are certified in ISO 27001 to ensure that the vendor has implemented appropriate policies, procedures, and controls for managing information security. Many companies use the ISO27000 as a framework for implementing good ISMS practices without ever planning on getting certified. Only accredited certification bodies can authorize a company with ISO27001.
What about the other ISO 2700x documents? The ISO 27000 family consists of many documents, each with a specific purpose. The ISO 27001 has an organizational focus that details the requirements against which an ISMS can be audited. ISO 27002 gives a much more concrete list of control objectives and controls to be implemented. So, when looking to see what ISO 27000 says about data classification, we want to look at the ISO 27002 document.
What does ISO 27002 say about data classification? Under A.8 Asset Management, control objective A.8.1 Classification of information has the following goal: "Ensure that information has a sufficient protection level by its value for the Organization." To ensure this goal, control 8.1.1 is Classification of information.
Where else in ISO 27002 is data classification mentioned?
It is not mentioned directly anywhere else, but it does affect some other controls like:
A.8.2.2 Labelling of information: To label the documentation's confidentiality level, you must have performed a data classification first.
A.9.1.1 Access control policy: What is the policy of accessing information based on the classification level. If you restrict access to confidential documents, then you must also have classified the documents first.
A.9.4.1 Limitation of access to information: Based on the policy in A.9.1.1, you restrict access to data based on its confidentiality level, which requires you to have classified the documents first.
A.10.1.1 Policy for the use of cryptographic controls: If you are to use encryption to protect the information's confidentiality, you must have classified the info first. Otherwise, you would encrypt everything or nothing because you do not know which documents are confidential and necessary to protect.
A.16.1.2 Reporting information security incidents: You must report any breaches to the confidentiality, integrity, or availability of the information. This is easier done when you already have done the data classification.
Summary: To have a good ISMS, you should perform a Classification of information. Otherwise, you will fail domain 8 Asset Management and have remarked on several other parts.