ISO/IEC 27001 Control 5.13: Labelling of information
Control
An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organization.
Necessity of MidPoint
MidPoint is optional for implementation of this control.
Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.
Implementation Overview
Applications can be classified using the defined classification scheme.
Implementation Details
Classification schemes can be applied to almost all midPoint objects, most notably applications and roles, efficiently creating information labels. Policies specified for the classifications can be enforced by using policy rules. Policy rules are applied transitively, even if classified applications are included in business roles or organizations.
Implementation Notes
-
Control for access control (5.15) asks for consistency between access rights and classification (controls 5.12, 5.13), which is given in midPoint by employing policy rules in classifications.
Rationale
As midPoint has integrated information classification mechanism, it can easily couple classifications, clearances and access control policies. This creates high-level governance policies that can be used to control correctness of complex configurations or RBAC structures. This approach is necessary to keep policies maintainable in large deployments.
Documentation
Version | Title | Description |
---|---|---|
Development | Information Classification and Clearances | Example demonstrating use of policy rules to enforce classification requirements |
4.8 | Information Classification and Clearances | Example demonstrating use of policy rules to enforce classification requirements |
Related Features
Related Controls
-
ISO/IEC 27001 5.9: Inventory of information and other associated assets
-
ISO/IEC 27001 5.10: Acceptable use of information and other associated assets
-
ISO/IEC 27001 5.19: Information security in supplier relationships
-
ISO/IEC 27001 5.20: Addressing information security within supplier agreements
-
ISO/IEC 27001 5.21: Managing information security in the ICT supply chain
-
ISO/IEC 27001 5.31: Legal, statutory, regulatory and contractual requirements
-
ISO/IEC 27001 6.3: Information security awareness, education and training
-
ISO/IEC 27001 6.6: Confidentiality or non-disclosure agreements