Why classify information?
Not all information is equally worth protecting. Treating everything the same — either with maximum or minimum protection — is inefficient and expensive. Information classification provides proportionality: the right protection for the right data.
The basic principle: If you don’t know what you have, you can’t protect it properly. Classification is the first step towards conscious information management.
The CIA Model
The three protection values:
| Value | Question | Example impact |
|---|---|---|
| Confidentiality | What happens if unauthorised people see this? | Reputational damage, competitive loss, GDPR fines |
| Integrity | What happens if the information is changed? | Wrong decisions, financial loss, dangerous products |
| Availability | What happens if we can’t access this? | Business disruption, missed deadlines, customer impact |
Assess all three separately. Information can have high confidentiality but low availability requirements (archived data), or high availability but low confidentiality (public website).
Classification Levels
Information intended for the general public. No harm if it spreads. Examples: Press releases, marketing, public website.
Everyday information for internal use. Limited harm if leaked. Examples: Internal communications, procedures, meeting bookings.
Sensitive information requiring protection. Significant harm if leaked. Examples: Customer data, business plans, personal data, contracts.
Most valuable information to protect. Serious harm if leaked. Examples: Trade secrets, sensitive personal data, strategic plans.
Protection Measures by Level
| Level | Access | Storage | Transfer | Destruction |
|---|---|---|---|---|
| Public | Everyone | No requirements | No requirements | No requirements |
| Internal | Employees | Basic protection | Normal | Normal |
| Confidential | Need-to-know | Encryption | Secure channel | Secure |
| Strictly Confidential | Strictly limited | Strong encryption | End-to-end | Verified destruction |
The Classification Process
- Identify information assets Inventory what information exists. Systems, databases, documents, email, cloud services. Where is what stored? Who creates and uses it?
- Appoint information owners Each information category needs an owner — someone who understands the business value. Often department head or process owner, not IT.
- Assess CIA values The information owner assesses: What happens with lack of confidentiality? Integrity? Availability? Use consequence categories for impact.
- Assign classification level Based on CIA assessment, choose level. Highest individual value determines. High confidentiality + low integrity = Confidential.
- Define handling rules What protection measures apply to each level? Document in policy. Everyone must know how each level should be handled.
- Implement marking Mark information with classification. In documents, systems, email. Make it visible what applies.
- Train and follow up Employees must understand the system. What do the levels mean? How should they act? Follow up compliance.
Marking in Practice
Document marking:
- Header/footer with classification level
- Cover sheet for sensitive documents
- File naming convention (e.g. CONF_report.docx)
Email marking:
- Subject line: [CONFIDENTIAL]
- Signature banner
- Automatic marking in email client
System marking:
- Metadata in document management system
- Labels in SharePoint/Teams
- DLP integration (Data Loss Prevention)
Physical marking:
- Labels on binders and folders
- Signage in rooms with sensitive information
- Lockable cabinets for confidential material
Connection to GDPR
Personal data requires special attention when classifying:
| Personal data type | Typical classification | Rationale |
|---|---|---|
| Name, email (general) | Confidential | Personal data, GDPR applies |
| National ID numbers | Strictly confidential | Sensitive, risk of misuse |
| Health data | Strictly confidential | Special category under GDPR |
| Trade union membership | Strictly confidential | Special category under GDPR |
| Public contact details | Public | Intended for distribution |
Connection to NIS2
NIS2 relevance:
NIS2 requires “appropriate technical and organisational measures” based on risk. Information classification is fundamental for:
- Prioritising protection — Focus resources on critical information
- Defining incident categories — What is “significant”?
- Supplier requirements — What information may be shared externally?
- Continuity planning — What must be restored first?
Article 21 requirements affecting classification:
- Risk management (requires understanding of what is worth protecting)
- Access control (based on information sensitivity)
- Encryption (depending on classification)
Common Pitfalls
Everything becomes "confidential" to be safe. Result: Nobody takes classification seriously, the system is undermined.
IT determines classification without business input. They don't understand business value — only technology.
Classification done once and never updated. New information ends up in limbo.
Seven levels with 20 attributes. Nobody understands, nobody follows. Keep it simple.
Classification exists on paper but nothing happens. Same protection for everything anyway.
Focus on internal but data in Dropbox, Google Drive, Slack isn't classified.
Automation
Manual classification doesn’t scale well. Modern tools can help:
| Function | Description |
|---|---|
| Automatic discovery | Scan systems for national ID numbers, credit cards, keywords |
| Suggest classification | AI-based suggestions based on content |
| Marking | Automatic labels in documents and email |
| DLP | Prevent confidential data being sent incorrectly |
| Reporting | Overview of classified data |
Implementation Tips
Start simple:
- Three-four levels are enough
- Focus on new information first
- Pilot department before organisation
- Iterate based on feedback
Secure buy-in:
- Management decision — policy required
- Information ownership — appoint responsible parties
- Training — everyone must understand
- Follow-up — measure compliance
Technical support:
- Document templates with marking
- Email classification
- DLP for monitoring
- Integrated tools
How Securapilot Can Help
Securapilot supports information classification:
- Asset register — Inventory and classify assets
- CIA assessment — Structured assessment of protection values
- Classification policy — Templates and guidance
- Risk connection — See how classification affects risk picture
- Reporting — Overview of classified information
Book a demo and see how we support your classification work.
Frequently asked questions
How many classification levels are needed?
3-4 levels are sufficient for most organisations. More levels create complexity without corresponding benefit. Common: Public, Internal, Confidential, Strictly Confidential.
Who determines the classification?
The information owner classifies. This is the person or function responsible for the information from a business perspective, not IT. IT implements the protection.
Must we classify everything?
In practice, focus on information that is actively created and handled. Archived data can be classified retrospectively as needed. Start with the most critical.
What happens if you classify incorrectly?
Over-classification leads to unnecessary costs and obstacles. Under-classification involves risk. It's better to start cautiously and adjust than not classify at all.
