ISO/IEC 27001 Control 5.12: Classification of information
Control
Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.
Necessity of MidPoint
MidPoint is optional for implementation of this control.
Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.
Implementation Overview
MidPoint has a native information classification feature, which can be used to set up classification and clearance schemes.
Implementation Details
There are pre-configured archetypes for classifications and clearances in midPoint, that can be used to build classification and clearance schemes. Policy rules can be used to set up requirements for individual classifications and applied transitively to all objects giving access to classified asset (usually roles). Classification is a generic mechanism, that can apply to variety of objects: roles, organizational units, projects and services. Role governance features can be used to track owners accountable for assets - and even custodians for individual classifications and clearances.
Implementation Notes
-
Control for access control (5.15) asks for consistency between access rights and classification (controls 5.12, 5.13), which is given in midPoint by employing policy rules in classifications.
Documentation
Version | Title | Description |
---|---|---|
Development | Information Classification and Clearances | Introduction of classification schemes, example of classification scheme based on EU NIS1 |
4.8 | Information Classification and Clearances | Introduction of classification schemes, example of classification scheme based on EU NIS1 |
Related Features
Related Controls
-
ISO/IEC 27001 5.8: Information security in project management
-
ISO/IEC 27001 5.9: Inventory of information and other associated assets
-
ISO/IEC 27001 5.10: Acceptable use of information and other associated assets
-
ISO/IEC 27001 5.19: Information security in supplier relationships
-
ISO/IEC 27001 5.20: Addressing information security within supplier agreements
-
ISO/IEC 27001 5.21: Managing information security in the ICT supply chain
-
ISO/IEC 27001 5.31: Legal, statutory, regulatory and contractual requirements
-
ISO/IEC 27001 6.3: Information security awareness, education and training