The ISO 2700x series of specifications set out an international standard for an Information Security Management System (ISMS). While the specification encompasses several standards (27000-8), the Standard for ISMS (27001) and Code of Practice for ISMS (27002) are the most heavily referenced. In this paper, we’ll adopt the industry convention of using ISO 27001 to refer to the collective standard.
ISO 27001 requires that organizations systematically examine their information security risks, taking account of threats, vulnerabilities and the impacts of breaches. Based on this assessment, they must design and implement a coherent and comprehensive set of information security controls and adopt an overarching management process to ensure that the controls continue to meet the organization's information security needs over time.
ISO 27001 explicitly mandates information classification, labeling, handling, and protection. Information classification and labeling allow the organization to identify and categorize their information assets. This allows organizations to focus their security strategy on the information that has been identified as most important or sensitive. Experience shows that an effective classification and labeling strategy for email and common document formats is the foundation of an effective security strategy.
Continue reading to learn how information labeling and classification strategies will help your organization comply with requirements to manage and secure digital assets.