Annex A 5.12 verified ISO/IEC 27001:2022
Information Classification Policy and Practices
Classify data based on security needs so everyone handles it correctly.
record_voice_over
Plain language
Classifying information means deciding how sensitive or critical it is, which helps everyone handle it properly. If we don’t classify our information correctly, it might get shared inappropriately, lost, or altered, leading to security breaches or legal issues.
01 — Overview
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.
verified ISO/IEC 27001:2022 Annex A 5.12
priority_high
Why it matters
Without information classification, sensitive data can be mishandled or disclosed, leading to breaches, legal non-compliance and reputational damage.
settings
Operational notes
Periodically review classification labels and handling rules against CIA needs and interested party requirements as data sensitivity and policies change.
02 — Implement
build
Implementation tips
- The IT manager should develop a clear policy on information classification. This involves creating categories like 'confidential', 'internal use', and 'public', and outlining how to handle each one. Use the ISO 27002 guidance as a framework to ensure it covers confidentiality, integrity, and availability.
- Human Resources should train all employees on the new classification policy. They should explain why classifying information is important and provide examples of proper handling for each classification category. This training ensures everyone knows their role in protecting the company’s data.
- Department heads should work together to identify the types of information within their area that need classification. They should map out what data they handle, determine its sensitivity, and classify it according to the policy. Regularly update this classification as business needs change or new information comes in.
- The legal team should review the classification policy to ensure it aligns with applicable Australian laws, such as the Privacy Act 1988. They should check that there's a clear process for legal and regulatory compliance, especially for confidential information.
- The IT department should implement technical controls that align with the classification policy. For example, restricting access to confidential information to authorised personnel only and applying encryption where necessary. Ensure these controls are tested and effective in keeping sensitive information secure.
03 — Audit
fact_check
Audit / evidence tips
-
Aska copy of the information classification policy
Goodpolicy clearly describes each classification, handling requirements, and aligns with ISO 27002 guidance
-
Askto see the department-specific classification documents
-
Asklegal compliance documentation related to data classifications
04 — Mappings
link
Cross-framework mappings
How Annex A 5.12 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| ISM-0201 | ISM-0201 mandates a specific handling safeguard for TOP SECRET environments by requiring conduits to be clearly identified as TOP SECRET ... | |
| ISM-0323 | ISM-0323 requires media to be classified to the highest sensitivity or classification of any data it stores | |
| ISM-1729 | ISM-1729 mandates specific classification outcomes for TOP SECRET destruction residues based on measurable particle sizes | |
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-0027 | ISM-0027 requires authorisation to operate for each system handling non-classified, OFFICIAL: Sensitive, PROTECTED or SECRET information,... | |
| handshake Supports (12) expand_less | ||
| ISM-0208 | ISM-0208 requires a cable register that captures each cable’s sensitivity/classification and other traceability details (source, destinat... | |
| ISM-0233 | ISM-0233 mandates encryption (or non-use) of cordless handsets/headsets for sensitive or classified conversations | |
| ISM-0240 | ISM-0240 prohibits communicating sensitive or classified data via paging and messaging services | |
| ISM-0271 | ISM-0271 requires that protective marking tools do not automatically insert protective markings into emails, preventing unintended or inc... | |
| ISM-0272 | Annex A 5.12 requires organisations to implement information classification policy and practices so information is consistently classifie... | |
| ISM-0325 | ISM-0325 requires that any media connected to a higher-classified/sensitivity system be reclassified up to that higher level (unless read... | |
| ISM-0358 | ISM-0358 mandates a specific classification outcome: sanitised EPROM/EEPROM that previously held SECRET or TOP SECRET information must co... | |
| ISM-0835 | ISM-0835 specifies a concrete classification handling outcome: sanitised TOP SECRET volatile media may still retain TOP SECRET classifica... | |
| ISM-1268 | ISM-1268 requires enforcing need-to-know to database contents through privileges, roles/views, and tokenisation to ensure only authorised... | |
| ISM-1719 | ISM-1719 requires a concrete classification-driven marking rule: TOP SECRET cables are coloured red to signal their sensitivity | |
| ISM-2008 | ISM-2008 applies additional device-handling and connectivity restrictions specifically in SECRET and TOP SECRET areas, effectively treati... | |
| ISM-2100 | ISM-2100 requires that sensitive or classified data is not viewed on mobile devices within or near connected vehicles to reduce the risk ... | |
| extension Depends on (14) expand_less | ||
| ISM-0269 | ISM-0269 requires enforcing handling rules for specific sensitive classifications by preventing sending to distribution lists unless reci... | |
| ISM-0462 | ISM-0462 requires that organisations treat IT equipment or media according to its original sensitivity/classification during the period a... | |
| ISM-0501 | ISM-0501 requires transport controls for keyed cryptographic equipment to be selected based on the sensitivity/classification of the keyi... | |
| ISM-0565 | ISM-0565 requires email servers to block, log and report emails with inappropriate protective markings | |
| ISM-0589 | ISM-0589 requires preventing MFD scanning/copying of documents above the sensitivity/classification of the connected network | |
| ISM-0694 | ISM-0694 enforces an access restriction specifically tied to SECRET and TOP SECRET classifications and to privately-owned devices | |
| ISM-0831 | ISM-0831 requires media to be handled according to its sensitivity or classification | |
| ISM-1053 | ISM-1053 requires physical security measures (security zones for server/communications rooms) to be suitable for the classification of th... | |
| ISM-1461 | ISM-1461 requires that when virtualisation is used to share a physical server for SECRET or TOP SECRET computing environments, the host a... | |
| ISM-1482 | ISM-1482 requires enforced separation of classified data from personal data on organisation-owned devices, which presumes the organisatio... | |
| ISM-1530 | ISM-1530 requires organisations to select security containers suitable for the classification of the equipment and the security zones in ... | |
| ISM-1599 | ISM-1599 mandates handling IT equipment based on sensitivity or classification | |
| ISM-1893 | ISM-1893 requires MFA to be used for access to third-party online customer services that process, store or communicate the organisation’s... | |
| ISM-2046 | ISM-2046 requires that sensitive data is not recorded in logs in software with impersonation capabilities, and that permissions are corre... | |
| link Related (5) expand_less | ||
| ISM-0270 | Annex A 5.12 requires information to be classified based on confidentiality, integrity and availability needs and related requirements | |
| ISM-0293 | Annex A 5.12 requires organisations to classify information based on security needs so people and systems handle it correctly | |
| ISM-0332 | Annex A 5.12 requires information to be classified according to organisational security needs (confidentiality, integrity, availability) ... | |
| ISM-0393 | Annex A 5.12 requires information to be classified according to the organisation’s confidentiality, integrity and availability needs and ... | |
| ISM-1083 | Annex A 5.12 requires information to be classified so handling and communication align with its security needs and stakeholder requirements | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.