Every document in the organisation is treated the same way: stored on a shared drive, emailed freely and discussed in open meetings. A trade secret sits next to the canteen menu. When a sensitive customer contract is accidentally attached to a supplier email, nobody notices — because there is no system for distinguishing critical information from routine data. A.5.12 requires the organisation to classify information according to its protection needs, so that appropriate handling rules can be applied.
Classification is the bridge between the asset inventory and operational security. It translates the abstract question “how important is this information?” into concrete protection categories that everyone in the organisation can apply.
What does the standard require?
- Define a classification scheme. The organisation must establish a classification scheme that reflects the protection needs of its information across confidentiality, integrity and availability.
- Classify all information assets. Information in the asset inventory must be classified according to the scheme. The classification should reflect the information’s value, sensitivity and legal or contractual requirements.
- Assign classification responsibility. The information owner is responsible for assigning and maintaining the classification level. This responsibility should be documented.
- Review and reclassify as needed. Classification is not static. Information may change in sensitivity over time — a product roadmap is highly confidential before launch and public afterwards. Regular reviews and event-driven reclassification ensure accuracy.
- Align with handling rules. Each classification level must have associated handling rules that define how information at that level may be stored, transmitted, accessed and disposed of (detailed in A.5.13).
In practice
Keep the scheme simple. A classification scheme that people actually use is worth more than an elaborate one that is ignored. Three to four levels cover the needs of most organisations. Provide concrete examples for each level — employees classify more consistently when they can see where common document types belong.
Classify by consequence. The classification level should reflect the worst-case consequence of a security breach affecting the information. Ask: “What happens if this information is disclosed to an unauthorised person? What if it is altered without detection? What if it becomes unavailable?” The answers determine the level.
Embed classification in daily processes. Make classification part of document creation workflows. Template headers can include a classification field. Email systems can offer classification tags. The goal is to make classification a natural step rather than an afterthought.
Address over-classification. When in doubt, people tend to classify too high. Over-classification leads to excessive restrictions on routine information, creates operational friction and desensitises people to classification labels. Counter this by providing clear guidance and examples, and by including over-classification in periodic reviews.
Typical audit evidence
Auditors typically expect the following evidence for A.5.12:
- Classification policy — defining the scheme, levels, criteria and responsibilities
- Classified asset inventory — showing that assets in the inventory have assigned classification levels
- Classification guidelines — practical guidance with examples for each level
- Handling rules matrix — mapping classification levels to permitted storage, transmission and disposal methods
- Review records — evidence that classifications were reviewed and updated where necessary
KPI
% of information assets classified according to the defined classification scheme
This KPI measures adoption of the classification scheme across the asset inventory. Target: 100% of registered information assets have an assigned classification level. A significant gap indicates that the scheme is either too complex or insufficiently communicated.
Supplementary KPIs:
- Percentage of classified assets whose classification was reviewed within the last 12 months
- Number of reclassification events per quarter (indicates active lifecycle management)
- Percentage of employees trained on the classification scheme
BSI IT-Grundschutz
A.5.12 maps to the following BSI requirements:
- BSI-Standard 200-2 Kapitel 5.1 (Definition of protection requirements) — requires organisations to define protection requirement categories (normal, high, very high) for confidentiality, integrity and availability.
- BSI-Standard 200-2 Kapitel 8.2 (Protection requirements assessment) — mandates assessment of protection requirements for all identified information assets, applications and IT systems.
- ISMS.1.A10 (Classification of information) — requires a classification scheme aligned with the organisation’s protection objectives and legal requirements.
Related controls
A.5.12 enables risk-proportionate protection:
- A.5.10 — Acceptable use: Acceptable use rules vary by classification level.
- A.5.11 — Return of assets: Classified information requires special handling during asset return.
- A.5.13 — Labelling of information: Labels make classification visible and actionable.
- A.5.14 — Information transfer: Transfer rules depend on the classification level of the information being sent.
Sources
- ISO/IEC 27001:2022 Annex A, Control A.5.12 — Classification of information
- ISO/IEC 27002:2022 Section 5.12 — Implementation guidance
- BSI IT-Grundschutz, BSI-Standard 200-2 — IT-Grundschutz methodology