What is information classification in ISO 27001?

Information classification is the process of categorizing an organisation’s information based on how sensitive and critical it is. It’s about understanding which information requires the highest level of protection and which can be handled more openly.

For organisations working with ISO 27001, information classification is a fundamental security control. It helps you protect the right information in the right way — not more and not less than necessary.

Why information classification matters

Consider how different types of information affect your organisation if they fall into the wrong hands:

Personal data with national identity numbers and payroll details – If these are leaked you risk GDPR fines and loss of employee trust.

Customer records with contact details – Less sensitive than personal data but still valuable to competitors and harmful if abused.

Public press releases – No harm if these are shared, since they are intended for the public.

Without information classification many organisations treat all information the same. That leads to two problems:

1. Excessive security – You spend resources protecting information that doesn’t need it.
2. Insufficient security – Sensitive information doesn’t get the protection it requires.

Information classification solves this by assigning an appropriate protection level to each type of information.

What ISO 27001 requires

ISO 27001:2022 Annex A control 5.12 (Classification of information) states that organisations must classify information based on:

• Confidentiality – How sensitive is the information? What are the consequences if unauthorised parties gain access?
• Integrity – How critical is it that the information remains correct and unaltered?
• Availability – How quickly must the information be available to the business?

The standard also requires that you:

• Define clear classification levels tailored to your organisation
• Document the rules that apply to each level
• Train staff so they understand the system
• Regularly review and update the classification

Common classification schemes

There are several established systems for information classification. The choice depends on your organisation, industry and any legal requirements.

Swedish schemes

SIS and MSB use 5-level scales:

1. Public information – No harm if disclosed
2. Internal information – Low harm, primarily internal
3. Confidential information – Significant impact on operations
4. Strictly confidential information – Severe impact on operations
5. Highly classified / top secret information – Critical to the organisation; may threaten survival

These schemes suit Swedish organisations and legislation well. They also provide flexibility when you need to map protection levels to other countries’ classifications during international collaboration.

International schemes

The US, UK, Germany and France have their own classification standards. Norway, Denmark and Finland generally use 5-level systems similar to Sweden.

Recommendation for Swedish organisations: use a 5-level system such as SIS or MSB. They are more nuanced than 3-level schemes and easier to align with other countries’ classifications when working internationally.

How information classification works in practice

Here’s a concrete example from a Swedish manufacturing company:

Production recipe (bill of formulation)

Assessment:

• Confidentiality: Level 4 (competitors would gain a major advantage if they accessed it)
• Integrity: Level 5 (errors in the recipe halt production)
• Availability: Level 4 (production stops without access)

Overall classification: Level 5 (the highest of the three)

Security measures that follow:

• Encryption at rest and in transit
• Two-factor authentication for access
• Detailed access logging
• Backups every 6 hours
• Restricted access only to authorised production managers

Internal newsletter

Assessment:

• Confidentiality: Level 1 (published internally; little harm if leaked)
• Integrity: Level 2 (minor consequences if edited)
• Availability: Level 2 (can wait a few days)

Overall classification: Level 2

Security measures that follow:

• Standard access via login
• Daily backup
• No encryption required

The difference in security measures is significant — and entirely reasonable given the information’s value to the business.

The link to risk management

Information classification is the starting point for your information security risk management.

When you know which information is most critical you can:

1. Prioritise risk assessments – Start with the highest-classified information
2. Select appropriate controls – Level 5 information receives stronger protections than level 2
3. Allocate resources effectively – Direct budget where it has the greatest impact

Without classification, risk assessment becomes guesswork. With classification you have a fact-based foundation.

Common mistakes to avoid

Overclassification

Some organisations classify almost everything as “confidential” or higher. This leads to:

• Frustration among employees who cannot do their jobs efficiently
• Wasted security resources
• Reduced compliance because rules feel unreasonable

Solution: Be honest about what truly is sensitive. Public information should be classified as public.

Underclassification

Other organisations classify too low to “simplify”. This leads to:

• Inadequate protection for critical information
• Increased risk of security incidents
• Difficulty complying with GDPR and other legal requirements

Solution: Consider the consequences if the information is disclosed, altered or unavailable.

Forgetting to update classifications

Information changes over time. A production recipe that was top secret last year may be less critical now if the product is being phased out.

Solution: Review classifications regularly — at least annually.

Different classifications across departments

When HR classifies personnel data as level 3 but Finance classifies the same data as level 4, confusion and security gaps occur.

Solution: Create a clear organisation-wide policy and train everyone who classifies information.

Link to other ISO 27001 requirements

Information classification supports several other ISO 27001 controls:

Annex A 5.9 – Inventory of assets
You must know what information you have before you can classify it.

Annex A 5.10 – Acceptable use of information
Classification determines the rules for how information may be used.

Annex A 5.13 – Labelling of information
Label information according to its classification where appropriate (e.g., “Confidential” in the footer).

Annex A 8.12 – Preventive measures against data leakage
Information with a high classification needs stronger protections against leakage.

How AmpliFlow supports information classification

In ISO 27001 implementation projects our consultants set up a tailored information classification matrix as a starting point for your organisation. Depending on the project level (mini, midi or maxi) you receive different levels of support to adapt the classification system to your needs.

This template helps you to:

• Register all information assets
• Classify each item according to confidentiality, integrity and availability
• Document security measures for each classification level
• Assign owners and responsible parties
• Schedule regular reviews
• Track changes over time

Practical steps to get started

If you are going to implement information classification in your organisation, follow these steps:

1. Choose a classification scheme

Decide whether to use SIS, MSB or another system. For Swedish organisations we recommend a 5-level scheme.

2. Define classification levels

Write clear descriptions for each level that fit your organisation:

• What do levels 1–5 mean in your context?
• What are the consequences of a security breach at each level?
• What controls are required for each level?

3. Inventory information

List all important information:

• Databases
• Document collections
• Systems and applications
• Physical archives

4. Classify the information

For each item, assess:

• Confidentiality (1–5)
• Integrity (1–5)
• Availability (1–5)

The highest rating becomes the overall classification.

5. Document and communicate

• Create an information classification policy
• Train staff on the system
• Label information according to its classification where needed
• Communicate which security measures apply

6. Implement controls

Ensure controls match the classification levels:

• Access controls
• Encryption
• Backup frequency
• Logging

7. Follow up and update

• Review classification at least annually
• Update when the business changes
• Measure compliance and remediate deviations

Information classification as the foundation of security work

Information classification is not bureaucratic overhead — it is the foundation for effective information security.

When you know which information is most valuable and sensitive you can:

• Allocate the security budget where it delivers the most benefit
• Give employees clear guidance on how to handle information
• Meet legal requirements such as GDPR and ISO 27001
• Demonstrate to management and customers that you take information security seriously

For organisations working with ISO 27001, information classification is mandatory under Annex A control 5.12. Even if you do not pursue certification, it is a powerful tool to protect what matters most to your organisation.

Start by identifying your most critical information and classify it. Then expand the system step by step. With the right structure and tools it doesn’t have to be complicated.

Related articles:

• ISO 27001: An overview for non-technical leaders
• What is risk management?