Compartmentalised Thinking for Data: Why Information Classification Is Essential

When considering the classification of information and data, one may experience mixed feelings. It makes sense to define categories for grouping similar items – this applies both in domestic settings and in the business world. You rarely find kitchen cutlery in a bedroom drawer. While “putting people in boxes” is understandably questionable – since it involves defining individuals based on phenotype, appearance or first impressions – categorising information has a legitimate place in information security. The idea often evokes scenes from films about intelligence agencies or defence contractors labelling documents as "Top Secret". This blog post aims to shed light on when such labels make sense, and when simpler classification methods might suffice.

What Companies Have in Common: Data as Assets

Every business, whether a start-up or a global enterprise, shares one trait: they generate data and information, which hold value as informational assets. In research and development, these may take the form of patents, test setups, technical drawings, and more. Companies instinctively protect this data because it is widely understood that losing it could jeopardise their business model. There is also data deliberately created for external use, such as website content, marketing materials for trade shows, or business cards. The value of this information lies in widespread access – ideally leading to contact and business transactions.

Classification Criteria and Methods

To help employees distinguish between public and highly confidential information, companies need clear classification criteria. A common approach involves sensitivity levels ranging from S1 (public) to S4 (strictly confidential). For each level, companies should define appropriate handling protocols. How should printed documents be managed? How are they to be stored securely? What is the appropriate destruction method once they’re no longer needed? These considerations are particularly important for electronic data. Where can sensitive data (S3–S4) be stored? How should access rights be configured so that only authorised internal and, if necessary, external individuals can access it? Transmission paths must also be considered: encryption should be standard, whether via encrypted email or an encrypted container within an email. In some cases, transmission may not be allowed at all. Retention periods must also be considered. There should be a proper deletion policy and, where appropriate, archiving systems. Depending on the application, it may be useful to use classification labels supported by automated routines that delete or archive data after the defined retention period.

Norms and Standards in Information Security

Relevant standards in information security – such as ISO/IEC 27001, TISAX, or sector-specific standards (B3S) – all require the classification of information. The guidance in ISO/IEC 27002, for instance, covers this in two chapters, proposing the following grouping principles:

Classify data based on the impact of a potential breach. Establish a unified scheme to classify information assets. Define rules for handling third-party information, recognising that third parties may use different classification systems. It is conceivable that information may be classified differently depending on the organisation, with some data deemed more or less sensitive.

Labelling and Staff Training

Consideration must also be given to how electronic data can be labelled using metadata, tags or technical tools – and when labelling can be omitted. Furthermore, companies should define how data should be handled when labelling is not possible.

A cornerstone of any information classification effort is staff training. Employees must understand the classification system and be able to apply it. For the classification scheme to be embraced, it must be explained clearly and intuitively. Referring back to intelligence services (as mentioned in the introduction), the training concept should address when it is appropriate to assign classifications. It may make sense to label only higher sensitivity levels, such as S3 and S4. The classification framework should enable staff to categorise data independently. For technical data, companies should offer additional support.

Conclusion

Classifying information is a crucial step in helping companies protect the security and confidentiality of their data. While compartmentalised thinking is frowned upon in some aspects of everyday life, it is indispensable in information security for organising data based on its value and protection needs.

By implementing clear classification systems and training their staff, companies can ensure that sensitive information is handled properly. Standards and regulations provide helpful frameworks for building a consistent and effective security strategy. Ultimately, a well-thought-out classification approach not only protects assets but also enhances efficiency in day-to-day data management.