Information Classification

In formation should be classified and subsequently appropriately protected to ensure it is available for use by those designated as responsible users. Owners identified in the Inventory of Assets should ensure information is appropriately classified. This control, possibly above all others, is the one which bears out the three tenets of the standard – confidentiality, integrity and availability. Classification should align with the access control policy.

Labelling

A little like document and records control, information sharing needs to be controlled by labelling. This should be easily recognisable, particularly as outputs of processing. Employees and contractors should be made aware of labelling procedures. These need to be documented, this should give guidance indicating how and where documents should be labelled.