T1.3.1 - CLASSIFICATION OF INFORMATION Implementation Guidance
The entity shall develop a classification scheme for its information.
Back to T1.3.1 - P3 - CLASSIFICATION OF INFORMATION
Critical entities shall also take into account any other NESA’s relevant issuances, guidance, and activities in this regard.
Classifications and associated protective controls for information should take account of business needs for sharing or restricting information, as well as legal requirements. Assets other than information can also be classified in conformance with classification of information which is stored in, processed by or otherwise handled or protected by the asset.
Classification scheme should include conventions for classification and criteria for review of the classification over time; in accordance with some predetermined access control policy. The level of protection in the scheme should be assessed by analyzing confidentiality, integrity and availability and any other requirements for the information considered.
Owners of information assets should be accountable for their classification. The scheme should be consistent across the whole entity so that everyone will classify information and related assets in the same way, have a common understanding of protection requirements and apply the appropriate protection. Each level should be given a name that makes sense in the context of the classification scheme’s application. Classification should be included in the entity’s processes, and consistent and coherent across the entity. Results of classification should indicate value of assets depending on their sensitivity and criticality to the entity, e.g. in terms of confidentiality, integrity and availability. Results of classification should be updated in accordance with changes of their value, sensitivity and criticality through their life-cycle.
