Data Classification
Data classification is defined as the process of analysing and organising data (both structured and unstructured) by categorising data into defined and classified categories based on its contents, confidentiality, type of documented information, and other relevant characteristics.
Why do you need it? It will help you to understand what data you collect, store and process and what you need to focus on. It’s a mandatory and important topic for external auditors. The more you understand this, the better you can answer your auditor’s questions.
This is a tricky topic to handle because there are a lot of requirements that you will need to address according to ISO 27001. You can find – in the Templates section – the Data Classification Policy, which will tick all the requirements of ISO 27001.
So, How to start?
- Read the Data Classification Policy to have a general idea of what needs to be in place. In the policy we explain all the fields in the Compleye Online Data Classification section. We’ve also added a Data Classification Scheme and a (potential) Security Impact Scheme per classification. We advise that you read the entire policy before starting to make use of the Compleye Online section.
- Once you’ve read and understood the meaning of Data Classification you can start filling in the Data Sources in Compleye Online by making use of the policy, which includes a lot of tips and links to more information.
Some tips:
- Examples of data sources: HR Data, Source Code, IP, Customer Data, Compliance Documentation, Business Data and Financial Data.
- Business Data can be emails, marketing and sales information etc.
- At the start of your ISMS with a small team, don’t make the list longer than needed. Over time, when maturing your ISMS the list will grow.
- Start with a few and before you go for an external audit, check if the list is complete. During the preparation you might discover more data sources and you’ll probably have more control measures, policies etc. in place to add to this overview.
- Adopting labelling is a choice that you’ll need to make for yourself. If you choose the Compleye strategy (not to adopt labelling), you’ll need to use this information in your Statement of Applicability. In the SoA section, we have examples of how to define the justification. Make sure you understand the reason well because the external auditor will investigate this.
- If you define labelling as Not Applicable, you can copy the blue marked content in the template to Compleye Online – in the Procedure/Info feature. In this way, you’ll have the justification in place for yourself and your team members, when reviewing the content (see button below)
Field | Example Content |
Data source | HR Data * |
Collected from / Transferred | information via Team Members (E-mail) |
GDPR role | controller |
Data Classification | Restricted |
Labelling | NA |
Handling of assets | Only CEO has access to all of the data. |
Implemented control measures | Restricted on Access in MS365 |
Regulatory, Quality Requirement | GDPR |
Data Storage | MS365 in separate folder HR Team Members |
| System Access Overview | Compleye Online – MS365 |
| Security Impact | Moderate |
Confidentiality | High |
Integrity | High |
Availability | Low |
Security policies/procedures | HR-Office procedure and Access Management Procedure |
Add new field | [you can add extra fields – if needed] |
Data Ownership | Data is owned by Team Members. |
*Examples of Data sources: HR Data, Source Code, Customer Data, Compliance Documentation, Business Data, Financial Data.
