Skip to contentCYBERINFO
|

Control 5.12 : Classification of Information

Summary

The organization must classify information according to its security requirements based on confidentiality, integrity, availability, and relevant interested party requirements. This ensures that information receives an appropriate level of protection relative to its importance to the business.

Applicability

In-Scope: Critical for all organizations to ensure that security resources are focused on the most sensitive data. It is a mandatory prerequisite for implementing technical data loss prevention (DLP) and meets regulatory requirements for handling personal or sensitive information.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

  • Data Labeling: Use Microsoft Purview Information Protection to create sensitivity labels (e.g., Public, Internal, Confidential, Highly Confidential).

  • Automatic Classification: Configure auto-labeling policies to detect sensitive information types, such as credit card numbers or government IDs, across SharePoint and Exchange.

  • Visual Marking: Apply headers, footers, or watermarks automatically to documents based on their assigned sensitivity label to ensure clear visibility of the classification.

Evidence Checklist

  • Classification Scheme: A documented policy defining the different levels of classification and the criteria for each.

  • Labeled Data: Samples of documents or emails that have been correctly classified and labeled according to the policy.

  • Inventory Mapping: Evidence that the asset inventory includes the classification level for each major information asset.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How does the organization determine the appropriate classification level for a new type of data or document?

  • Can you demonstrate how the technical labels in Microsoft 365 align with the formal classification categories defined in your policy?

  • What training is provided to employees to ensure they understand how to classify information they create or receive?

  • How is information re-classified when its sensitivity changes over time, such as when a project becomes public?