Is sensitive data classified and labelled (e.g. confidential, internal, public)?
Demonstrate that the organization has defined, implemented, and consistently applies a data classification taxonomy with visible labels across information assets, enabling risk-appropriate handling and protection.
Description
What this control does
This control requires organizations to implement a structured data classification scheme that categorizes information assets according to their sensitivity, business impact, and handling requirements. Classification labels (such as Public, Internal, Confidential, Restricted) must be assigned to data at creation or acquisition and maintained throughout the data lifecycle. The control ensures that personnel can readily identify the sensitivity of information they handle, enabling appropriate security measures, access controls, and incident response actions based on classification levels.
Control objective
What auditing this proves
Demonstrate that the organization has defined, implemented, and consistently applies a data classification taxonomy with visible labels across information assets, enabling risk-appropriate handling and protection.
Associated risks
Risks this control addresses
- Unauthorized disclosure of sensitive data due to employees mishandling information without understanding its criticality
- Exfiltration of high-value intellectual property or customer data that was not adequately protected because it lacked sensitivity markings
- Regulatory non-compliance and fines resulting from failure to identify and protect personally identifiable information or protected health information
- Insider threats successfully targeting valuable data that was indistinguishable from low-value information due to absent classification
- Inefficient resource allocation where security controls are either over-applied to public data or under-applied to confidential assets
- Legal liability from third-party data breaches when shared information was not properly classified and contractual protections were not enforced
- Delayed incident response and improper breach notification when responders cannot quickly determine the sensitivity of compromised data
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's data classification policy, including definitions for each classification level and criteria for assignment.
- Identify and document the official classification taxonomy (e.g., Public, Internal, Confidential, Restricted) and the data owner or steward responsible for classification decisions.
- Select a representative sample of at least 20 data assets spanning structured databases, unstructured file shares, cloud storage repositories, and email systems across multiple business units.
- Inspect each sampled asset to verify the presence and correctness of classification labels in metadata, file properties, document headers/footers, or system tags.
- Interview data owners or custodians for sampled assets to confirm they understand classification criteria and can articulate why each asset received its assigned label.
- Review access control configurations, encryption policies, and data loss prevention rules to confirm they reference and enforce controls based on classification labels.
- Test label persistence by examining data that has been copied, shared externally, or migrated between systems to verify classification markings remain intact.
- Assess user awareness by interviewing a sample of employees across roles to verify they can identify classification labels and describe appropriate handling procedures for each level.