Article Summary
An organisation cannot protect information it has not categorised. This article explains what data classification actually means, how the classification scheme is derived from business needs and regulatory obligations, the critical distinction between mature and starting organisations, how classification differs across industries, and what belongs — and what does not belong — in the policy itself.
Why This Policy Exists
An organisation cannot protect information it has not categorised. Protection costs money, time, and operational friction. Applying the same level of protection to a publicly available marketing brochure and to a database containing patient medical records wastes resources on the first and almost certainly under-protects the second. Data classification exists to solve exactly this problem. It creates a shared language across the organisation for describing how sensitive information is and therefore what level of protection it requires.
ISACA's CISM framework addresses data classification as a fundamental component of information asset management. Without a classification scheme, risk assessments lack precision, access control decisions lack a basis, and data protection controls cannot be calibrated to the actual sensitivity of the information they are protecting. Classification is not an administrative exercise. It is the foundation on which the rest of the information security programme is built.
What Data Classification Actually Means
Data classification is the process of assigning a sensitivity label to information based on its value to the organisation, the harm that would result from its unauthorised disclosure, modification, or loss, and any regulatory requirements that apply to it.
Most classification schemes use three or four levels. The specific labels matter less than the consistency of their application. An organisation that uses three levels consistently is better protected than one that uses five levels inconsistently. The classification scheme must be simple enough for every employee to understand and apply without needing to consult a specialist every time they create or receive a piece of information.
| Level | Description | Handling Requirement |
|---|---|---|
| Public | Information approved for release to the general public, or that would cause no harm if disclosed. | No special handling beyond basic accuracy checks before publication. |
| Internal | Information intended for use within the organisation. Would cause minor operational disruption or reputational harm if disclosed externally. | Must not be shared outside the organisation without approval from the information owner. |
| Confidential | Information whose unauthorised disclosure would cause significant harm. Includes personal data under GDPR, customer financial information, commercially sensitive contracts, security-relevant system information. | Encrypted in transit and at rest. Accessed only by authorised individuals. Shared externally only under NDA. |
| Restricted | Information whose unauthorised disclosure would cause severe harm, or that is subject to regulatory requirements mandating the highest level of protection. Includes PCI DSS cardholder data, clinical patient records, M&A communications. | Full set of protective controls defined in the Restricted Data Handling Standard. Strictest access, transmission, storage, and disposal requirements. |
How the Policy Is Derived and What Drives Classification Decisions
The Data Classification Policy is derived from the Information Security Policy's principle that information assets must be protected in proportion to their value and sensitivity. The classification scheme itself is derived from three sources: the organisation's own assessment of its information assets and their value, the regulatory requirements that impose specific handling obligations on certain categories of information, and industry best practice for the organisation's sector.
The organisation's own assessment is the most important input. Before writing a Data Classification Policy, the organisation needs to understand what information it actually holds, where it is stored, how it flows through the organisation's processes, and what the consequences of its loss or exposure would be. This understanding comes from an information asset inventory and from a business impact analysis that assesses the consequences of losing each category of information.
Regulatory requirements add specific obligations on top of the organisation's own assessment. GDPR imposes handling requirements on personal data. PCI DSS imposes handling requirements on cardholder data. Healthcare regulations impose handling requirements on patient data. The classification scheme must ensure that information subject to these requirements is classified at a level that triggers the controls those regulations require.
Advanced vs Starting Organisations — The Most Important Distinction
The Data Classification Policy must be honest about the organisation's current maturity in information asset management. This is where many policies fail. They prescribe a classification scheme and a set of controls that assume the organisation has a complete, accurate inventory of its information assets when in reality it has no such thing.
Mature Organisation
Has a complete CMDB, a full information asset register, and established data flows mapped across its systems. Can write a classification policy that references specific asset types, prescribes classification at the asset level, and mandates automated classification tools and data loss prevention controls. The policy can be specific because the organisation has the infrastructure to support specificity.
Starting Organisation
Cannot honestly commit to classifying all information assets at the asset level when it does not yet know what all of its information assets are. The policy must establish the classification scheme and the requirement to classify, while acknowledging that the asset inventory is being built and that full implementation will follow as the inventory matures. This is not a weakness — it is an honest reflection of where the organisation is.
The policy should contain the classification scheme, the requirements for applying classifications, and the controls that apply to each level. It should reference the information asset inventory as a supporting document rather than embedding asset-level detail that will change as the inventory evolves. This way the policy remains stable as the inventory grows.
What Should and Should Not Be in the Policy
Belongs in the policy: the classification scheme and the sensitivity levels, the requirement to classify all information assets, the requirement to apply specific controls based on classification level, and the requirement to review classifications when information changes.
Does not belong in the policy: the inventory of specific information assets, the list of systems that hold classified data, and the specific technical controls used to enforce classification on each system platform. All of this belongs in the supporting standards, procedures, and the asset register.
An organisation's information assets change constantly. New systems are deployed. New data types are collected. Old systems are decommissioned. If the policy contains a list of classified assets, the policy must be revised every time an asset is added or removed. A policy that requires constant revision will never be current, will always be in draft, and will frustrate the governance process that is supposed to approve and maintain it.
How Classification Differs by Organisation Type
Financial Services
Holds customer financial data, transaction records, credit information, and market-sensitive data. The classification scheme typically includes a specific category for regulated financial data triggering PCI DSS or financial regulatory controls. Enforced through DLP tools, access controls on banking systems, and strict third-party data sharing controls.
Healthcare
Holds patient medical records, diagnostic data, prescription information, and clinical research data. Patient data sits at the highest classification level regardless of format because harm from its exposure combines privacy violation with potential patient safety risk. Must address classification of data on medical devices — a unique challenge not present in other sectors.
Manufacturing
Holds product design data, manufacturing process specifications, supplier contracts, and customer order data. The highest classification level typically covers intellectual property — the designs and specifications that represent competitive advantage. The policy must address protection through the entire lifecycle, including when shared with suppliers and manufacturing partners.
Government Agency
Operates within a national classification scheme that typically predates and supersedes any internal policy. The internal data classification policy must align with and support the national scheme, not contradict it. Additional levels for national security information are prescribed by the relevant government authority.
Small Organisation
Needs a classification scheme it can actually implement. Three levels — Public, Internal, Confidential — with clear, simple descriptions and practical guidance is more effective than a sophisticated five-level scheme nobody can consistently apply. Simplicity in classification is a security feature, not a shortcut.
Technology Service Provider
Holds client data across multiple clients in different sectors, each with their own classification requirements. The provider's scheme must be broad enough to accommodate the highest classification tier any client imposes. Client data must be segregated to prevent cross-contamination of classifications. ISO 27001 certification typically forms the baseline assurance.
Sample Data Classification Policy Structure
1. Purpose
This policy establishes [Organisation Name]'s framework for classifying information based on its sensitivity and the harm that would result from its unauthorised disclosure, modification, or loss. It provides the foundation for applying proportionate security controls to all information assets and supports compliance with applicable data protection regulations and contractual obligations.
2. Scope
This policy applies to all information created, received, processed, stored, or transmitted by [Organisation Name] or on its behalf, in any format. It applies to all employees, contractors, consultants, and third parties who handle organisational information.
3. Classification Levels
Public: approved for general release, no special handling. Internal: for use within the organisation, not shared externally without approval. Confidential: significant harm if disclosed — personal data, financial information, sensitive contracts. Encrypted in transit and at rest, shared externally only under NDA. Restricted: severe harm if disclosed or regulatory requirement for highest protection — cardholder data, clinical patient data, M&A communications. Full protective controls from the Restricted Data Handling Standard apply.
4–9. Responsibilities, Controls, Regulatory Alignment, Declassification, Exceptions, Related Documents
Information creators classify at point of creation. Information owners maintain classifications. All staff handle information per its classification. Controls covering storage, transmission, access, sharing, retention, and disposal are defined in the Data Handling Standard. Regulatory alignment with GDPR and applicable sector regulations. Reclassification approved by information owner and recorded in the asset register. Exceptions require CISO approval and annual review.