Data Classification

Screenshot 2022-11-10 at 12.48.04.png

Data classification is defined as the process of analysing and organizing data (both structured and unstructured) by categorizing data into defined and classified categories based on its contents, confidentiality, type of documented information, and other relevant characteristics. As a way to maintain the confidentiality, integrity, ease of access, and reliability of the data, Compleye Online provides the functionality to manage and keep records of data classification in a centralized and structured manner.

Well-established and aligned with the business functions, data classification overview will help your organization recognize, appreciate and understand what information is held, where it is stored and how it can be accessed. Data classification is also a fundamental step when developing policies, processes, and procedures your organization implements to preserve the confidentially, availability, and integrity of information. Subsequently, identifying the legal and regulatory requirements, as part of the data classification process, will help your organization to meet regulatory requirements, and avoid potential penalties or regulatory scrutiny. Finally, yet importantly,  appropriately classified data facilitates data mapping and implementation of the required level of security measures and controls.

Identifying and classifying the information you hold is also required by ISO 27001 standards and norms and referenced in the controls within Annex A, section A 8.2 which cover classification, labelling and handling of the information within the scope of the established ISMS.

  1. As a first step, ensure that your organization has a clear understanding of the information collected, stored and processed, as well as of the regulatory and contractual data protection and confidentiality requirements. Once the scope of data and regulatory requirements are defined you can define your data classification objectives and build a comprehensive and functioning data classification overview.

         Consider the following questions when classifying your information:

  • What data of your stakeholders your organization collect?
  • What data do you create as part of daily operations?
  • What data if lost, would have a particular impact on your organization?
  • What data would be classified as confidential?
  • What data classify as personal data?
  • Who is responsible for the integrity and accuracy of the data?
  • Who can and should access the data.
  1. In the context of information security, data classification is based on its level of confidentiality and the impact to the organization that data should be disclosed, altered or destroyed without authorization. The classification of data included in Compleye Online helps determine what baseline security controls are appropriate for safeguarding that data. The data classification falls into one of three classifications:
  • Restricted Data should be classified as Restricted when the unauthorized disclosure, change or destruction of that data could cause a significant level of risk to the Client or its affiliates. The highest level of security measures should be applied to Restricted data.
  • Private Data should be classified as Private when the unauthorized disclosure, change or destruction of that data could result in a moderate level of risk to the Client or its affiliates. A reasonable level of security measures should be applied to Private data.
  • Public Data should be classified as Public when the unauthorized disclosure, change or destruction of that data would result in little or no risk to the Client and its affiliates. Examples of Public data include press releases, course information and research publications. Certain level of security measures should be still put in place to prevent unauthorized alteration or destruction of Public data.
  1. Start with developing and formalizing the Data Classification Policy – ​​you can choose the Data Classification Policy Template included in the Template Section of the Policies and Procedure module. A well-defined Data Classification Policy will help your organization to understand how the sensitivity of specific data types is classified and should be handled by employees.
  1. GDPR Role: As Data classification overview is an important assessment of what kind of data you are processing, for each data source, you need to determine if you are the data controller or data processor. Example: in case of HR data source, you are the data controller and not the processor, meaning that different obligations may be imposed on your organization with regard to this type of data.As a general rule  you can use the question on: ‘Who is asking for the data being collected?’ If that is you – you are the controller, if that is your customer – you are the processor. More information and examples – please read 
  1. Labelling: Once your data is classified, you may need to label it appropriately and in accordance with the labeling approach adopted by the management of data and information, if applicable. Please note that ISO 27001 is not prescriptive on this topic, so you can develop your own controls and measures, that are sufficient for your organization to protect information.
  1. Control Measures: Describe preventive and detective measures that have been adopted for each of the classified sets of data.
  1. Handling of Asset: Describe the manner the asset that relate to the classified data should be handled by the organization and employees. The rules concerning the asset handling process should also be reflected in the HW Security Rules or any other related document.
  1. System Access Overview: Describe the access management overview applied to each of the classified sets of data. The access management rules should be consistent with the requirements addressed by the organization’s access management policy or any other relevant document. In practice, the field should include the roles and functions that have access to the classified information.                                                                                            
  2. Regulatory and Quality Requirements: Describe the regulatory and quality requirements taken into consideration when identifying and classification information.                                                                                                           
  3. Data Stored: Describe where the classified information is stored. This could refer to both digital and physical storage.                                                                                                                        
  4. Last point to address – this is not (yet) added to this overview – “Does this data source contain personal data?” Please check for more information on what is considered personal data under the GDPR. If this data source contains personal data, you will have to add this item to the section: Legal & Compliance – GDPR – Legal Base. [link to wiki – Legal Base]


    Example Content

    Data source

    HR Data *

    Collected from / Transferred

    information via Team Members (E-mail)

    GDPR role


    Data Classification




    Handling of assets

    Only CEO has access to all of the data. 

    Implemented control  measures

    Restricted on Access in MS365

    Regulatory, Quality Requirement


    Data Storage

    MS365 in separate folder HR Team Members

    System Access Overview

    Compleye Online – MS365

    Security Impact








    Security policies/procedures

    HR-Office procedure and Access Management Procedure

    Add new field

    [you can add extra fields – if needed]

    Data Ownership

    Data is owned by Team Members. 

    *Examples of Data sources:  HR Data, Source Code, Customer Data, Compliance Documentation, Business Data, Financial Data. 

    Was this article helpful?
    0 out of 5 stars
    5 Stars 0%
    4 Stars 0%
    3 Stars 0%
    2 Stars 0%
    1 Stars 0%
    How can we improve this article?
    Please submit the reason for your vote so that we can improve the article.