Information Classification and Labelling Policy

An organization shall define its Information Classification and Labeling Policy.

For example,

"All business information shall be classified and labeled based on the business requirement and sensitivity of the information as "Strictly Confidential", “Confidential”, “Internal Use Only” or “Public.”

Information Classification

The classification level shall be defined in terms of its value, legal requirements, sensitivity, and criticality to the organization by the relevant information owner considering one of the classification levels defined under information classification standards (Ex: Confidential, Internal Use Only, or Public).

The information owner shall reclassify information once the defined classification level no longer applies to the information.

Information Labeling

Information Owner/ Information Custodian shall immediately label after creating information as per the classification level.

Head of the Business Unit shall be responsible to ensure that the sectional documents (in any format- paper-based or electronic) are clearly labeled with the classification.

All unlabeled information shall be considered “Confidential” until it is classified under the appropriate category.

All older versions of documents/unused/obsolete documents shall be marked as “OBSOLETE” clearly to avoid reference or usage by mistake.

The label shall be comprised of the following basic fields and it shall be clearly visible. 

• Name & Section of the Owner
• Date of preparation
• Date of expire
• Archival period
• Classification Personal

Business Units can include additional details in addition to the above.

Sensitive information shall not be included in the label content as exposing confidential or internal use information.

Sample Classification can be as follows,