richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Cleaning up the Sparks folder

Browse source
This commit is contained in:
Richard Kranendonk 2026-05-18 09:31:41 +02:00
parent eb610a79b6
commit 96cd8fea7b
78 changed files with 149 additions and 181 deletions
Download patch file Download diff file Expand all files Collapse all files

37
Corpus/Sparks/ISMS/Labeling of information in the digital domain.md Normal file
View file

@ -0,0 +1,37 @@
[ISO 27001 A 8.2.2 Labelling of information](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%208.2.2%20Labelling%20of%20information.md) makes procedures for information labelling in accordance with the classification scheme mandatory.
For physical assets its straightforward: a restricted area sign on the door to the server room, a classified mark on a folder, a privacy sensitive sticker on a backup tape, etc.
But how would you implement labeling in the digital domain of databases, file systems, SaaS environments, etc.?
Brahman Thiyagalingham suggested in [this LinkedIn thread](https://www.linkedin.com/feed/update/urn:li:activity:6878704465160007680/?commentUrn=urn%3Ali%3Acomment%3A(groupPost%3A67493-6878704464929316864%2C6878973141931094016)&replyUrn=urn%3Ali%3Acomment%3A(groupPost%3A67493-6878704464929316864%2C6879367802243866624)) that, to ensure the proper handling of (digital) information assets, you would rely on "something like a proper RBAC model, Identity Access solution with a PAM, DRM and DLP". Implying the concept of labeling has been replaced by applying these tools.
It could be said that these tools apply labeling implicitely, because effective implementation of these solutions requires that the solution knows what forms of protection each information asset needs.
That means classifying information assets (control 8.2.1) and determining acceptable use (control 8.1.3).
Labeling of digital information assets close to the source e.g. assign a classification-label to a database column will help create a consistent approach across individual solutions.
Looking at it that way, any metadata that helps ensure the acceptable use and proper handling of information assets could be identified as labeling. A data dictionary that contains classification information could also be considered to use labeling.
Related:
- [ISO 27001 A 8.2.1 Classification of information](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%208.2.1%20Classification%20of%20information.md)
- [ISO 27001 A 8.1.3 Acceptable use of assets](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%208.1.3%20Acceptable%20use%20of%20assets.md)
- [[Enforcement tooling]]
[ISO 27001 A 8.2.2 Labelling of information](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%208.2.2%20Labelling%20of%20information.md) makes procedures for information labelling in accordance with the classification scheme mandatory.
For physical assets its straightforward: a restricted area sign on the door to the server room, a classified mark on a folder, a privacy sensitive sticker on a backup tape, etc.
But how would you implement labeling in the digital domain of databases, file systems, SaaS environments, etc.?
Brahman Thiyagalingham suggested in [this LinkedIn thread](https://www.linkedin.com/feed/update/urn:li:activity:6878704465160007680/?commentUrn=urn%3Ali%3Acomment%3A(groupPost%3A67493-6878704464929316864%2C6878973141931094016)&replyUrn=urn%3Ali%3Acomment%3A(groupPost%3A67493-6878704464929316864%2C6879367802243866624)) that, to ensure the proper handling of (digital) information assets, you would rely on "something like a proper RBAC model, Identity Access solution with a PAM, DRM and DLP". Implying the concept of labeling has been replaced by applying these tools.
It could be said that these tools apply labeling implicitely, because effective implementation of these solutions requires that the solution knows what forms of protection each information asset needs.
That means classifying information assets (control 8.2.1) and determining acceptable use (control 8.1.3).
Labeling of digital information assets close to the source e.g. assign a classification-label to a database column will help create a consistent approach across individual solutions.
Looking at it that way, any metadata that helps ensure the acceptable use and proper handling of information assets could be identified as labeling. A data dictionary that contains classification information could also be considered to use labeling.
Related:
- [ISO 27001 A 8.2.1 Classification of information](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%208.2.1%20Classification%20of%20information.md)
- [ISO 27001 A 8.1.3 Acceptable use of assets](../../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%208.1.3%20Acceptable%20use%20of%20assets.md)
- [[Enforcement tooling]]