EXPLORE what we know and do
EXPLORE what we know and do



Contact Us

COFFEE OR TEA? Drop by for a cup.

Blog February 03, 2016

Information classification – a precondition for a good cloud strategy

Every discussion I have been involved in over the past few years about “the road to the cloud” has included an element of fear.

As an information security consultant, I often wrestle with the other side of the cloud coin. The top side is mainly about opportunities, new business and bold business models. The down side is concern about where my data might be, what information I can put into the cloud, whether I can be sure that my cloud partner is handling my data responsibly, how do I get my data back when our relationship ends and what does the law say? Justified questions, but not in any way restrictive. My simple answer is often this: classify your information.

“Information classification can and should be viewed as a kind of risk analysis”

Of course, information classification does not answer all those anxious questions, but it does facilitate the choice of a cloud strategy and puts a price on the risks involved in the information management. Information classification can and should be viewed as a kind of risk analysis, in which an assessment is performed of the consequences that may arise if protection cannot be maintained.
The starting point is that not all information in an organisation needs the same level of protection. A central element of work on information classification is therefore to assess the value and sensitivity of the information. To achieve systematic information classification, a common model is required that includes all activities from information identification to implementing security measures.

 info clas

The figure above shows a general model for information classification (Source: www.informationssakerhet.se

“An important element of work on information classification is the creation of a register of information assets”

This is often referred to as information mapping. An information asset might be, for example, the database in the finance system, the public website, the document management system, the payroll and HR system or payroll lists.

There are many ways to map information. I recommend mapping information flows and identifying systems and assets through which the information passes and in which it is processed, thus building up a register of information assets. This method has advantages, as it takes into account which external parties and resources are involved in information management.

“Which information flow should be mapped is an important question”

I would start by mapping the information flow in my most important business process. For those organisations that do not have documented processes, there is usually an intuitive feel for which work processes are the most important for the organisation to perform its main task. For example, delivering products ordered on time to the right customers so that an invoice can be issued – From Order to Invoicing. The most important consideration is that there is well-defined input and output data for the series of work processes to be mapped. By documenting the activities performed, which information is used and which systems process data between Order and Invoicing, the information asset register is built up.

“When the information assets have been identified and recorded, it is important to confirm responsibilities for the information”

To achieve good information security, it is a good idea to designate roles to assume responsibility for the various parts of the organisation’s information management process, and above all for the information. Responsibilities for information are becoming increasingly important, as many organisations now opt for outsourcing or various kinds of cloud services. When classifying information, you must therefore also map out who is the information owner of various volumes of information and what demands this places on both internal and external handling of information.

Information classification involves classifying information, not systems or services. This classification then makes it possible for the information owner to make demands on system and service owners. The information classification model varies between organisations, but the basic elements are the same, for example there is always a correlation between consequences and protection.

Less serious consequences if an information asset is disclosed would mean more basic protection. More serious consequences require a higher level of protection. How high depends on the consequence. Ultimately, whether the asset is suitable for processing in the cloud is a risk assessment.

“To summarise, bear this in mind when creating a cloud strategy”

  • Consider Information Classification to be an element of risk analysis work.
  • Identify the information assets in the most important business process. The best way to do this is in a workshop with those responsible for information security, a legal advisor, IT manager, quality manager and personal data representative, all under the guidance of a moderator.
  • Classify the assets and identify the level of protection needed in order to assess the risks of processing data in the cloud.
  • Appoint information owners in order to implement information management requirements in day-to-day work.

Finally, a tip on a good Swedish source for support and inspiration in the task of developing a structured, systematic work process for information security – www.informationssakerhet.se.


Please get in touch if you have any thoughts on the subject. My colleagues and I are happy to take part in a discussion on how your organisation can not only survive, but be one of the winners in our wonderful new digitised world.

Kennet Wahlberg, Senior Advisor in the field of business continuity, information security and security awareness, Enfo Zipper.