A.8.2 Information classification

A.8.2 Information classification

Version: 3.0

Valid until: 2025-03-26

Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Edward Robinson

Initiation document

2022-07-07

1.1

Edward Robinson

Additions/changes as part of the periodic review and improvement.



Renamed to A.8.2 Information and classification.

2022-10-20

2.0Edward RobinsonAdditions/changes as part of the annual review.

As per recommendation of the internal auditor, additional classification subtypes were added to the table.
2023-05-15
3.0
Edward Robinson
Additions/changes as part of the annual review.

Cosmetic upgrade classification table.

Updated the anDREa People link under Administrations.

Purpose & background


In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.


The purpose of this document is to describe the information classification policy of anDREa and the associated controls, checks and administrations.


This document will be reviewed at least annually and when significant change happens.

Objectives


The objective of this control is:


  • To ensure that information receives an appropriate level of protection in accordance with its importance to the organisation (A.8.2).

Scope


The scope of this document corresponds to Clause 4 Context of the organisation.

Availability

This document is:


  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.

Norm elements

A.8.2 Information classification

A.8.2.1 Classification of information

“Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.”

anDREa classifies information according to the table below:


Classification

Description

Guidelines/requirements

Low / Public

Loss or damage of the asset results in no impact or loss of company or privacy sensitive information.

Handle with care:

  • Use as intended.

  • Follow asset instructions when applicable.

High / Confidential

Loss or damage of the asset can result in loss of company or privacy sensitive information for anDREa or for anDREa-related partners, prospects and clients.

In addition an asset must:

  • Have password protection

  • Ideally be bitlocked/encrypted

  • Ideally use VPN when connecting to open networks

  • Home, own hotspot, Eduroam are considered safe networks

  • When shared with others have separate user accounts

  • Locked with password, pin, or other means when leaving the device

  • After completion of work for anDREa and handing over all relevant work to anDREa have all anDREa related work be erased beyond recovery.


A.8.2.2 Labelling of information

“An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organisation.”

anDREa classifies information according to the table above. Information is labelled with Low/Public or High/Confidential and must always be versioned in combination with a date. anDREa strives to be as transparent as possible. Therefore, policy documents of the Information Security Management System (ISMS) are publicly available in our Knowledge Base and classified as Low/Public. Records are stored and accessible with Role Based Access Control (RBAC) and based on the least-privileged and need-to-know principle. Contracts and personnel files are classified as High/Confidential. These files are also accessible with Role Based Access Control (RBAC) and based on the least-privileged and need-to-know principle. The access control policy, checks and controls are further described A.9 Access control.


A.8.2.3 Handling of assets

“Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organisation.”

The handling of assets is further described in A.6.2 Mobile devices and teleworking and A.8 Asset management

Administrations

  • All documents must have an information classification label and/or versioning with a date.

  • anDREa People for RBAC.

  • All controls and checks belonging to A.9 Access control.


    • Related Articles

    • CIA (BIV) Classification

      First version: 2022-03-29 Last updated: 2023-11-06 Last change(s): Added the 'wrong Accountable' threat and mitigation under Threats and Vulnerability Analysis. Summary CIA stands for Confidentiality (Vertrouwelijkheid), Integrity of data ...

    • 20220624 Pentest 2022-Q2/Q3 Report

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001 please feel free to download and read the attached anDREa's 20220624 Pentest 2022-Q2/Q3 Report. TLDR: none of the findings have any risk ...

    • 20220607 Security Management Report

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001 please feel free to download and read the attached anDRE's 20220607 Security Management Report.

    • 20220714 Security Management Report Addendum

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001. This document is an addendum to the 20220607 Security Management Report and addresses the on 2022-07-14 reported findings of the ISO ...

    • 20210224 Pentest 2021-Q1 Report & 20210301 White Box Security Audit 2021-Q1 Report

      In accordance with our Pentest Program, anDREa engaged nSEC/Resilience for the anDREa White Box Security and the Pentesting 2021-Q1. The core questions being: Can non-authorized people or services access Workspaces or affect anDREa’s core services? ...