ISO 27001:2022 – Information Classification – Is it now time for #ABIC
Information Classification (IC) is core to an effective security programme. After Asset Management, it’s probably the most important component of an Information Security Management System. For those already certified to the current version of 27001, your old information classification system is likely to need a revamp. The new 27002:2022 control guidelines have been updated to reflect modern methods of working – and for information classification, it’s a sea-change. In this article, we’ll discuss what you need to do under the new regime, how information classification feeds into your other security controls and whether or not there needs to be an altogether fresh approach to classifying business information.
A word on how 27002 controls are now set out…
So before we discuss Information Classification specifically, it’s worth quickly discussing some of the new 27K “2022” terminology. In the 2022 versions, every control is now categorised into themes and attributes. A control will sit in one of 4 themes (People, Physical, Technological and Organisational) and have 5 attributes (Type, Property, Concept, Capability, Domain). If you want to know what all these things mean, you’ll have to buy the standards yourself, but for illustration, let’s use Information Classification to demonstrate how this looks in practice:
Control: Information Classification (5.12)
- Control Type: #Preventative
- IS Properties: #Confidentiality #Integrity #Availability
- Cybersecurity Concepts: #Identify
- Operational Capabilities: #InformationProtection
- Security Domains: #Protection #Defence
What is with all these #hashtags you may ask? The idea is that you can use these tags to create different views of your ISMS for different audiences. Want to see your controls across Security Domains, just sort accordingly. Worried you’re focussing on corrective controls and not on preventative controls – it should now be a lot easier to see. Why such a change? I can’t say for sure but reading between the lines I think there is a growing expectation organisations really must start to manage their ISMS outside of Excel! I.e. using a data-driven system, that integrates with security tooling and includes automation and workflow capabilities. Excel is not appropriate for managing an ISMS!
The format of 27002 controls has changed slightly too. Each control is now set out as Control (same), Purpose (used to be Objective), Guidance (used to Implementation Guidance) and Other Information (same). Anyone who has used the current standard will probably see this more as a cosmetic change.
It’s not all change though. There is still the concept of topic-specific policies underpinning all the controls. The new version of 27002 lists out 12 policies that would be expected of a “full fat” 27001 ISMS. One is of course the overarching Information Security policy and then there are 11 topic-specific policies. Information Classification and Handling is of course one such policy. Topic-specific policies are still inter-connected too. More on interconnectivity later.
Information Classification – Deep Dive
The new Information Classification control description states:
“Information should be classified according to the information security needs of the organisation based on confidentiality, integrity and availability and relevant interested party requirements.”
The purpose stated is to:
“ensure identification and understanding of protection needs of information in accordance with its importance to the organisation”
So how does this differ from before? Well, the control definition has changed significantly. The prior version stated: “Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.”
Whilst the control statement has changed, the components of the old statement haven’t been lost. They have just been moved into the guidance instead. What the new control wording creates, is a change of focus. The new focus removes the limitations of the old approach and instead creates an approach that is more extensible. An information classification system that covers the needs of other interested parties, not just the InfoSec Team. Say the Data Protection Officer (DPO) or the Operational Resilience Manager (ORM). An information classification system that will continue to consider how information should be protected from disclosure (confidentiality) and unauthorised modification (integrity) but will now also consider when data should be available – and when it shouldn’t.
The control guidance goes on to describe what is needed in more detail…
The first requirement is a topic-specific policy on Information Classification. This policy must clearly set out the classification specification and the requirements for its application across the organisation. This policy must be created with wide-ranging stakeholder consultation (so no more cutting and pasting from the Internet). The policy must require information owners to classify their data according to the classification (so you need to have an owner field in your asset register). The classification system must consider impact and criticality (so you need to have this included in your asset register). The policy must be linked to an organisation’s access management policy (so you will need one of those too). Oh, and the controls you apply to a particular piece of information or system need to be based on its classification too (think DLP, Data Transfer et al)!
The requirement for a process to declassify information is still there. This is an aspect of information classification that organisations – with the exception of mature central government archives – continue to do pretty badly. Which is a shame as protecting information more than necessary is just wasting money.
Finally, the policy must set out requirements related to how the organisation’s classification system shall interoperate with the classification systems of other organisations. This is new for 2022. What this essentially means is this. There needs to be a documented, repeatable process that defines how classifications are mapped. The information classification policy must therefore include a requirement that mapping is conducted prior to any external information-sharing activity. The mapping exercise needs to look at the other organisation’s classification system and then ensure their data is appropriately protected when in use in your organisation – and vice versa!
e.g. You have a classification system of Public, Official and Secret. You are to be provided with data from an external organisation. They have a different classification system of Unclassified, Restricted, Secret, Top Secret. Their data has been classified as Restricted. Before accepting this data, your organisation will need to apply a documented process to identify what controls must be applied to this classification that gives the data an equivalent level of protection.
Similarly, you may be provided with data labelled as Secret by another organisation. That doesn’t mean you treat the data in the same way as your own Secret data. You still need to review how the other organisation controls data at this classification. Put another way, similar classifications do not necessarily equal the same controls.
Before we conclude the discussion on the new control guidance, let’s circle back to the availability aspect. I mentioned that a classification system should consider both when data should be available and when it should not. Why interpret the guidance this way? Basically, the protection of records control (5.33) requires a retention schedule, it would be highly useful to include in your classification system a means to apply retention information directly to the business data. This will not only aid in searching for data by retention date but also aid in automating data destruction processes. Classifying data by type will also aid in meeting the requirements of the Privacy and Protection of Personal Data (5.34) control too. As I said. To do classification properly is more than just slapping an arbitrary label on your client docs. But how can all this be realistically achieved? Maybe the new 27002 structure gives us the answer…
Enter Attribute-Based Information Classification (ABIC)
To remain effective, in our data-intensive world, an information classification system may need to operate just like 27002 classifies its own controls i.e. with attributes. Let’s face it, there are so many different scenarios we now need to consider, the standard 4-tiered labelling system is just not going to cut it. But, if the classification system used attributes instead, we would have a lot more flexibility as our data processing environment changes or new interested parties rear their heads! Let’s see how attributes could work…
Say Acme Bank PLC had a core banking system that held various types of data, including customer financial data. Each table (yes that granular) in the system could be classified with attributes as described below:
- Type: #Personal #Financial #Business
- Company: #AcmeBank
- Department: #IT #Treasury
- Impact: #High
- Criticality: #HighAvailability
- Retention: #7years
- Legislation: #GDPR #CCPA #PIPEDA
- Hash: #SHA256
- Review: #6months #2years #LegalHold
- Label: #Confidential #Restricted #Internal #Public
Such an attribute-based information classification system would be totally extensible for any given situation. If you added new tables into a database or if you added a completely new data source. It would just work. More usefully, security controls to protect data classified in this way could be programmatically applied. Other organisations classification systems could be automatically mapped too. We already have Attribute-Based Access Control (ABAC), perhaps we will soon see this Attribute-Based Information Classification (ABIC) in action too. I did a Google search and this term doesn’t yet exist so I am claiming it! You heard it here first.
Back to the real world…
Unfortunately, ABIC doesn’t yet exist outside the confines of my [cough] “thought leadership” – holistically at least. There are, however, some creative ways to use existing technology to get close to such a system. So, in the meantime, if you need help with information classification or any other aspect of ISO 27001. If you need a gap analysis or help with certification, get in contact, we can help.
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301:2019 article 25 article 28 awareness bcms breach change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership management operational resilience Outsourced DPO Privacy processor resilience risk risk appetite risk management ROI security security as a service small business soc strategic strategy Subject Access Request training transparency vciso virtual ciso vulnerability scanning