Information Classification Policy

1. Policy Statement and Objectives

1.1. Purpose

This policy establishes the framework for protecting [company name]‘s information assets by defining requirements for their classification, labeling, and handling. Proper classification ensures that security measures are applied in proportion to an asset’s sensitivity, value, and legal requirements, thereby safeguarding the organization’s operations, reputation, and compliance.

1.2. Objectives

The primary objectives of this policy are:

Establish a Classification Scheme: To maintain a clear, consistent information classification scheme based on confidentiality, integrity, availability, legal obligations, and business value.
Assign Ownership: To ensure all significant information assets are identified, assigned an appropriate classification, and have a designated owner responsible for their lifecycle.
Define Handling Requirements: To specify mandatory handling requirements (storage, access, transmission, disposal) for each classification level, preventing unauthorized access, disclosure, modification, or destruction.
Integrate with Risk Management: To formally embed the information classification process into the company’s ICT risk assessment methodology.
Ensure Compliance: To demonstrate compliance with all applicable legal, regulatory, and contractual obligations for information protection.
Promote Awareness: To foster a culture of security by ensuring all personnel understand their responsibilities through targeted training.

2. Scope and Applicability

2.1. Information Assets Covered

This policy applies to all information assets created, received, processed, stored, or transmitted by or on behalf of [company name]. It encompasses all formats (digital, physical, spoken) and locations (internal networks, cloud services, company devices, partner sites), particularly those supporting documented business functions.

2.2. Personnel

This policy is binding for all individuals with access to [company name]‘s information assets, including:

Full-time and part-time employees.
Contractors, consultants, and temporary staff.
Any other party granted access to company information systems or data.

2.3. Third Parties

While third parties are not directly bound by this policy, contractual agreements must impose information handling obligations consistent with these requirements. [company name] remains accountable for the protection of its information when handled by third parties.

2.4. Exclusions

Information officially approved for public release is classified as ‘Public’ and is excluded from restrictive handling requirements post-publication. Any other exclusion requires a formal, risk-based justification and documented approval from the designated Policy Owner.

3. Information Classification

3.1. Classification Levels

A four-tier classification scheme is adopted to categorize information based on its sensitivity and the potential impact of a compromise.

Restricted (Level 4): The highest classification for information of utmost sensitivity. Unauthorized disclosure, modification, or loss could result in severe consequences, including major financial loss, critical operational disruption, extensive reputational damage, or serious legal violations. This level demands the most stringent security controls.
Examples: Strategic corporate plans, critical system credentials, sensitive combinations of Personally Identifiable Information (PII), regulatory investigation data, primary cryptographic keys.
Confidential (Level 3): Applies to sensitive information intended for internal access on a need-to-know basis. Unauthorized disclosure, modification, or loss could cause significant financial, operational, or reputational harm.
Examples: Non-public financial results, internal audit reports, detailed customer accounts, employee PII, sensitive vendor contracts.
Internal (Level 2): Covers information for general use by personnel but not authorized for public disclosure. Unauthorized disclosure, modification, or loss could cause moderate operational disruption or minor financial or reputational harm.
Examples: Internal policies and procedures, general employee communications, non-sensitive operational data, internal project documentation.
Public (Level 1): Information explicitly approved for public release. While confidentiality is not a concern, controls are required to protect its integrity and availability.
Examples: Marketing materials, website content, published annual reports, press releases.

3.2. Classification Criteria

The classification level must be assigned based on an assessment of the potential impact of a security breach across the following criteria:

Confidentiality: Potential harm from unauthorized disclosure.
Integrity: Potential harm from unauthorized modification or destruction.
Availability: Potential harm from the loss of timely and reliable access.
Legal, Regulatory, and Contractual Requirements: Obligations imposed by laws, regulations, or contracts.
Business Value and Criticality: The strategic, operational, or financial importance of the information.

The final classification assigned to an information asset must correspond to the highest level of risk identified across any of these criteria (the ‘high-water mark’ principle).

3.3. Mapping to Critical Functions

The classification framework directly supports the identification and protection of critical or important functions (CIFs).

Information assets supporting CIFs must be identified in the information asset inventory.
The classification assessment for these assets must prioritize the Availability and Integrity impact criteria.
The resulting classification serves as a direct input into the ICT risk assessment process, ensuring security controls and resilience measures are prioritized for assets underpinning the company’s most critical operations.

3.4. Classification Levels and Criteria Summary

Level	Description	Confidentiality Impact	Integrity Impact	Availability Impact	Examples
Restricted	Highest sensitivity; severe impact if compromised.	High	High	High	Strategic plans, cryptographic keys, critical credentials.
Confidential	Sensitive; significant impact if compromised.	Medium-High	Medium-High	Medium-High	Customer accounts, employee PII, internal audits.
Internal	For internal use; moderate impact if compromised.	Low-Medium	Low-Medium	Low-Medium	Internal policies, project docs, operational data.
Public	Approved for public release; minimal impact.	Minimal	Low	Low	Press releases, marketing materials, website content.

4. Roles and Responsibilities

4.1. Management Body

Holds ultimate responsibility for overseeing the ICT Risk Management Framework, including approving this policy, ensuring adequate resources, and reviewing reports on its effectiveness.

4.2. Information Owner

A senior manager or business head with primary responsibility for a set of information assets (e.g., the Head of Human Resources is the Information Owner for employee data). Responsibilities include:

Assigning and periodically reviewing the classification level.
Defining and approving access requirements based on the principle of least privilege.
Authorizing the final disposal of the information asset.

4.3. Information Custodian

Technical or facilities teams responsible for the environment where information assets reside. Responsibilities include:

Implementing and managing technical security controls (e.g., access controls, encryption, backups) consistent with the assigned classification.
Executing secure data deletion and media disposal upon instruction from the Information Owner.

4.4. Information User

All personnel who access or handle company information. Responsibilities include:

Adhering strictly to the handling procedures defined in this policy.
Using information assets only for authorized business purposes.
Promptly reporting any suspected security incidents or policy violations.

4.5. Information Security Function

The central coordination and oversight body for this policy. Responsibilities include:

Developing and maintaining this policy and related standards.
Providing expert guidance and delivering security awareness training.
Monitoring compliance and reporting on risks to senior management.

4.6. Internal Audit

Provides independent assurance of the policy’s effectiveness through periodic audits and assessments, reporting findings to senior management.

5. Information Handling Procedures

5.1. Information Inventory and Ownership

An Information Asset Inventory must be maintained, documenting all significant assets. For each asset, the inventory must record its description, owner, location, classification level, and identify if it supports a critical or important function.

5.2. Labeling Requirements

All assets classified as Restricted, Confidential, or Internal must be clearly labeled. Standardized labeling methods must be used for different formats:

Digital Documents: Headers, footers, watermarks, or metadata tags.
Emails: Subject line prefixes or sensitivity labels.
Physical Documents: Printed stamps or marked folders.
Digital Media: Physical or logical labels.
Systems/Applications: Banners or indicators in the user interface.

5.3. Handling, Storage, and Transmission

Minimum security controls are required based on classification.

Restricted: Access: Strictly need-to-know, granted to named individuals only.; Storage: Mandatory encryption at rest. Stored in highly secured environments. Physical copies in locked containers within secure areas.; Transmission: Must use approved, end-to-end encrypted channels.
Confidential: Access: Granted based on role and business need.; Storage: Stored on approved company systems with strong access controls. Encryption at rest is strongly recommended. Physical copies in locked desks or offices.; Transmission: Must use approved secure methods for external sharing.
Internal: Access: Generally available to personnel but not for external sharing without authorization.; Storage: Stored on company network drives or approved internal platforms.; Transmission: May be shared internally using standard company tools.
Public: Access: No restrictions.; Storage & Transmission: No confidentiality restrictions, but controls must ensure integrity and availability.

5.4. Access Control Principles

Access controls must enforce the principles of least privilege (minimum necessary rights) and need-to-know (legitimate business requirement), supported by a formal process for managing user access rights.

5.5. Data Leakage Prevention (DLP)

Technical and procedural DLP controls shall be implemented where appropriate based on risk assessment to monitor, detect, and block unauthorized attempts to exfiltrate sensitive data.

6. Secure Media Management and Disposal

6.1. Handling of Removable Media

The use of removable media (e.g., USB drives) is restricted. Where permitted for Confidential or Restricted information, company-issued, encrypted media is mandatory. Loss or theft must be reported immediately.

6.2. Secure Disposal

Information must be permanently removed from equipment and media before disposal or re-use. Approved sanitization methods must be used, appropriate to the information’s highest classification level.

Paper: Cross-cut shredding or incineration.
Magnetic Media (HDDs): Degaussing followed by physical destruction.
Solid State Drives (SSDs): Cryptographic erasure followed by physical destruction.

Records documenting the secure disposal of media containing Confidential or Restricted information must be maintained.

7. Integration with ICT Risk Management

Information classification is a critical input to the ICT risk management process.

The classification level directly informs the evaluation of potential impact in risk assessments, ensuring protection efforts are prioritized for the most sensitive and critical assets.
By mapping classified assets to critical functions, the organization can better understand and manage the specific ICT risks that could disrupt its most important services.

8. Training and Awareness

All personnel must complete mandatory training on this policy upon hiring and at least annually thereafter. Training must cover classification levels, individual responsibilities, and specific handling procedures. This formal training will be supplemented by ongoing awareness campaigns.

9. Policy Compliance, Monitoring, and Review

9.1. Monitoring

Compliance will be monitored through periodic audits, analysis of security logs, user access reviews, and technical assessments.

9.2. Non-Compliance

Failure to comply with this policy exposes [company name] to significant risks, including data breaches, financial loss, regulatory penalties, and reputational damage. Policy violations will be addressed through established disciplinary procedures, up to and including termination of employment or contract.

9.3. Policy Review and Updates

This policy will be reviewed at least annually or upon significant changes to the business, technology, or regulatory landscape. Substantial updates require formal approval by the Management Body.

9.4. Continuous Improvement

[company name] will use findings from monitoring, audits, and incident analyses to drive continuous improvement in this policy and the organization’s overall information security posture.

10. References

DORA Article 8(1) and Article 9(4)
CDR 2024-1774 Article 11(2), Article 28(2), and Article 30(1)
Asset Register
Risk Management Methodology
Disposal and Destruction Policy

CHAPTER I

CHAPTER II

CHAPTER III

CHAPTER IV

CHAPTER V

CHAPTER VI

CHAPTER VII

CHAPTER VIII

CHAPTER IX

TITLE I

TITLE II

TITLE III

TITLE IV