4.4 KiB
ISO 27001 A 8.2.2 Labelling of information makes procedures for information labelling in accordance with the classification scheme mandatory.
For physical assets it’s straightforward: a ‘restricted area’ sign on the door to the server room, a ‘classified’ mark on a folder, a ‘privacy sensitive’ sticker on a backup tape, etc.
But how would you implement labeling in the digital domain of databases, file systems, SaaS environments, etc.?
Brahman Thiyagalingham suggested in this LinkedIn thread that, to ensure the proper handling of (digital) information assets, you would rely on "something like a proper RBAC model, Identity Access solution with a PAM, DRM and DLP". Implying the concept of labeling has been replaced by applying these tools.
It could be said that these tools apply labeling implicitely, because effective implementation of these solutions requires that the solution ’knows’ what forms of protection each information asset needs. That means classifying information assets (control 8.2.1) and determining acceptable use (control 8.1.3). Labeling of digital information assets ‘close to the source’ – e.g. assign a classification-label to a database column – will help create a consistent approach across individual solutions.
Looking at it that way, any metadata that helps ensure the acceptable use and proper handling of information assets could be identified as ‘labeling’. A data dictionary that contains classification information could also be considered to use labeling.
Related:
- ISO 27001 A 8.2.1 Classification of information
- ISO 27001 A 8.1.3 Acceptable use of assets
- Enforcement tooling
ISO 27001 A 8.2.2 Labelling of information makes procedures for information labelling in accordance with the classification scheme mandatory.
For physical assets it’s straightforward: a ‘restricted area’ sign on the door to the server room, a ‘classified’ mark on a folder, a ‘privacy sensitive’ sticker on a backup tape, etc.
But how would you implement labeling in the digital domain of databases, file systems, SaaS environments, etc.?
Brahman Thiyagalingham suggested in this LinkedIn thread that, to ensure the proper handling of (digital) information assets, you would rely on "something like a proper RBAC model, Identity Access solution with a PAM, DRM and DLP". Implying the concept of labeling has been replaced by applying these tools.
It could be said that these tools apply labeling implicitely, because effective implementation of these solutions requires that the solution ’knows’ what forms of protection each information asset needs. That means classifying information assets (control 8.2.1) and determining acceptable use (control 8.1.3). Labeling of digital information assets ‘close to the source’ – e.g. assign a classification-label to a database column – will help create a consistent approach across individual solutions.
Looking at it that way, any metadata that helps ensure the acceptable use and proper handling of information assets could be identified as ‘labeling’. A data dictionary that contains classification information could also be considered to use labeling.
Related: