Classify Databases Based on Data Sensitivity
Databases should be classified according to how sensitive the data they contain is.
Plain language
This control is about sorting your databases based on how sensitive the information they hold is. It's important because if sensitive data is kept in databases that aren't properly guarded, it could lead to leaks of confidential information, causing harm to privacy, and even resulting in financial losses or damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Databases and their contents are classified based on the sensitivity or classification of data that they contain.
Why it matters
If databases are misclassified, controls may be misapplied, enabling unauthorised access and disclosure of higher-sensitivity records.
Operational notes
Maintain a documented database classification register and reclassify when schemas, data sources or sensitivity change; verify labels match the highest data classification stored.
Implementation tips
- Management should determine the data sensitivity: Identify key data types held in databases, like personal customer information or financial details. Classify these based on sensitivity using a simple high, medium, or low scale.
- IT staff should label databases: Use the classifications to label each database accordingly. Clearly mark databases and keep a record of the classifications.
- Managers should ensure access controls match labels: Verify that employees can only access databases appropriate to their role. Review access rights based on the database classification and adjust permissions as needed.
- Create a data sensitivity policy: HR or compliance should write a policy document stating how data should be classified and handled. This should be reviewed regularly and employees should be trained accordingly.
- Schedule regular reviews: Set regular dates for reviewing the database classifications to ensure they stay up-to-date as the data or its usage evolves over time.
Audit / evidence tips
- AskThe data classification policy document: Verify it outlines the criteria and process for classifying data sensitivity GoodDocument will be current and include clear guidelines
- AskHow they apply access restrictions based on classification GoodIncludes specific procedures and recent updates
- GoodPlan includes regular timeframes and notes from past checks
Cross-framework mappings
How ISM-0393 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 5.13 | ISM-0393 requires databases and their contents to be classified based on the sensitivity/classification of the data they contain | |
| link Related (1) expand_less | ||
| Annex A 5.12 | Annex A 5.12 requires information to be classified according to the organisation’s confidentiality, integrity and availability needs and ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.