Classification scheme published
Demonstrate that a formal, approved data classification scheme has been documented, published to relevant stakeholders, and is accessible to personnel responsible for handling organizational information.
Description
What this control does
This control requires the organization to develop, approve, and publish a formal data classification scheme that defines categories of information based on sensitivity, criticality, and regulatory requirements. The scheme must specify classification levels (e.g., Public, Internal, Confidential, Restricted), criteria for assigning each level, handling requirements, and roles responsible for classification decisions. Publishing ensures staff, contractors, and authorized third parties understand how to identify, label, and protect information assets according to their assigned classification. Without a published scheme, inconsistent classification leads to inadequate protection of sensitive data and compliance gaps.
Control objective
What auditing this proves
Demonstrate that a formal, approved data classification scheme has been documented, published to relevant stakeholders, and is accessible to personnel responsible for handling organizational information.
Associated risks
Risks this control addresses
- Unauthorized disclosure of sensitive data due to inconsistent or absent classification standards leading to improper access controls
- Regulatory non-compliance from failure to identify and protect personally identifiable information, payment card data, or health records according to legal requirements
- Insider threats exploiting unclear classification criteria to mishandle or exfiltrate high-value intellectual property without detection
- Over-classification causing operational friction and productivity loss when routine business data receives unnecessarily restrictive controls
- Under-classification resulting in inadequate encryption, access restrictions, or audit logging for data requiring elevated protection
- Third-party vendors mishandling shared data because classification expectations were not communicated through contract or onboarding processes
- Incident response delays when security teams cannot quickly determine the sensitivity of compromised information due to ambiguous or unpublished classification guidance
Testing procedure
How an auditor verifies this control
- Request the current published data classification policy or standard from the information security team or document management system.
- Verify the classification scheme defines at least three distinct levels with clear criteria for assignment based on confidentiality, integrity, and availability requirements.
- Confirm the document includes handling instructions for each classification level covering storage, transmission, access control, retention, and disposal requirements.
- Review evidence of formal approval by designated authority such as the Chief Information Security Officer, Data Governance Committee, or equivalent executive leadership.
- Identify the publication channels used to distribute the classification scheme such as intranet portals, policy repositories, training modules, or employee handbooks.
- Interview a sample of employees across different departments to assess awareness of the classification scheme and their ability to locate the published document.
- Examine access logs or usage statistics for the published classification scheme to confirm it is available to personnel requiring it for their roles.
- Compare the published classification scheme against regulatory requirements applicable to the organization such as GDPR, HIPAA, PCI DSS, or industry-specific standards to verify alignment with legal obligations.
Where this control is tested