Document ID: ISMS-POL-002 | Version: 1.0 | Date: March 2026 | Classification: Internal | Owner: Information Security Manager
Purpose and Scope
This policy establishes the requirements for identifying, classifying, labelling, and managing information assets throughout their lifecycle, in accordance with ISO/IEC 27001:2022 Annex A controls 5.9–5.14 and 7.8–7.14.
It applies to all information assets (data, software, physical hardware, services, and people) within the ISMS scope, and to all employees, contractors, and third parties who create, handle, store, or dispose of organisational information.
1. Asset Classification Scheme
All information handled by the organisation must be classified according to the scheme below. Classification determines the handling, storage, transfer, and disposal requirements that apply. When in doubt, classify at a higher level and consult the ISM.
| Classification | Definition | Examples | Handling Requirements |
|---|---|---|---|
| Public | Information approved by management for public release; no restriction on distribution | Company website content, published case studies, marketing brochures, press releases, job advertisements | No restrictions on sharing; may be published externally; no encryption required |
| Internal | Information intended for internal use only; not approved for external distribution without explicit authorisation | Internal procedures and runbooks, staff directories, meeting minutes, project plans, internal training materials | Share within the organisation only; do not send externally without line manager approval; standard password protection for stored files acceptable |
| Confidential | Sensitive business or client information; disclosure would cause measurable harm to the organisation or clients | Client contracts and DPAs, penetration test reports, financial statements, HR records, security assessment findings, board papers, M&A information | Encrypt in transit (TLS 1.2 minimum) and at rest (AES-256); NDA required before sharing externally; access restricted to named individuals with business need; log access where technically feasible |
| Restricted | Highest sensitivity; disclosure would cause severe harm to the organisation, clients, or individuals; strictly need-to-know | Active penetration test credentials, cryptographic private keys, zero-day vulnerability research prior to disclosure, board-level M&A data, law enforcement-sensitive investigations | Encrypt with AES-256 at rest and in transit using TLS 1.3; strict need-to-know — minimum possible number of people; dual-person access where feasible; every access must be logged; physical documents require cover sheet; destruction requires witnessed log |
2. Asset Types and Inventory Requirements
Every asset within the ISMS scope must be recorded in the Asset Inventory within five business days of acquisition or creation. The Asset Inventory is maintained by the ISM and reviewed at least annually, with System Owners responsible for confirming the accuracy of their assets each year.
| Asset Type | Examples | Minimum Inventory Fields |
|---|---|---|
| Information Assets (Data) | Client databases, financial records, penetration test reports, employee PII, intellectual property | Asset ID, Asset Name, Classification, Data Type, Owner, Location/Hosting Platform, Retention Period, Disposal Method |
| Software Assets | Operating systems, endpoint security tools, SIEM platform, SaaS applications, development libraries | Asset Name, Version, Licence Type and Expiry, Owner, Hosting Environment, Patch Status, Last Vulnerability Scan Date |
| Physical Assets | Laptops, desktop computers, servers, mobile phones, network hardware, printers, removable media | Asset ID, Asset Tag / Serial Number, Assigned User, Physical Location, Encryption Status, MDM Enrolled (Y/N), Procurement Date, Disposal Date |
| Service Assets | AWS tenancy, Azure subscription, Microsoft 365, VPN service, internet connectivity, DNS provider | Provider Name, Service Description, Contract / Subscription Expiry, Data Processed (classification), SLA, Security Tier (1/2/3), Renewal Owner |
| People Assets | Employees, contractors, third-party consultants | Role, Department, Employment Type (FTE/Contractor), Access Level, Security Clearance Level, Training Completion Status, Contract End Date |
3. Information Labelling Procedure
All information must be labelled with its classification at point of creation and maintained throughout its lifecycle.
Digital Documents:
- Insert classification label in the header or footer of every page (e.g., “CONFIDENTIAL — [Organisation Name] — Not for distribution”)
- Set document properties / metadata to include the classification
- File naming convention for Restricted documents: prefix with
RESTRICTED_(e.g.,RESTRICTED_PenTest_ClientX_March2026.pdf)
Emails:
- Include the classification label as a prefix in the subject line
- Examples:
[INTERNAL] Q1 Staff Update|[CONFIDENTIAL] Client Assessment Report — March 2026|[RESTRICTED] Vulnerability Disclosure Draft - Microsoft 365 sensitivity labels must be applied where the tenant is configured to support them
Physical Documents:
- Stamp or printed label on the cover page: classification, document reference, and date
- For Restricted documents: classification label on every page (not just the cover)
- Confidential and Restricted documents must not be left unattended on desks or in printer trays
Storage Media:
- Physical label affixed to external hard drives, USB drives, and backup tapes stating: classification, asset ID, and owner
- All Confidential and Restricted media must have encryption applied and confirmed before labelling
4. Acceptable Use Rules
4.1 Approved Devices
Organisational data classified Internal or above may only be accessed, stored, or processed on:
- Organisation-issued and MDM-enrolled devices, or
- Approved personal devices enrolled in MDM or accessing data exclusively via approved virtual desktop (VDI) with no local data storage.
4.2 Internet and Email Use
- The corporate internet connection and email system are provided for business purposes. Limited personal use during breaks is permitted but must not compromise security, reputation, or performance.
- Accessing illegal content, gambling sites, or sites flagged as malicious is prohibited and monitored.
- Confidential and Restricted information must not be sent via personal email accounts under any circumstances.
4.3 Cloud Storage
- Approved cloud storage services: Microsoft SharePoint Online, OneDrive for Business (for Internal and below), and SharePoint document libraries with appropriate permissions (for Confidential).
- Unapproved cloud storage services (Google Drive personal, Dropbox personal, iCloud, WeTransfer) are prohibited for Confidential or Restricted data.
- Restricted data must not be stored in cloud services unless specifically approved by the CISO with compensating controls in place.
4.4 Removable Media
- USB drives and portable hard drives may only be used for organisational purposes if they appear in the approved device list maintained by IT.
- All approved removable media must be encrypted using BitLocker To Go (Windows) or FileVault (macOS) before data is written.
- Lost or stolen removable media must be reported to the ISM within one hour of discovery.
4.5 Personal Devices (BYOD)
- Personal devices may access organisational email and calendar via Microsoft Outlook mobile app with MDM policy applied (Intune MAM) — no local data storage permitted.
- Personal devices may not be used to store, process, or transfer Confidential or Restricted data.
- The organisation reserves the right to remotely wipe the work profile on a personal device enrolled in MDM upon termination or security incident.
4.6 Software Installation
- Only software approved by IT and on the approved software list may be installed on organisational devices.
- Requests for new software must be submitted via the IT service desk; the IT Manager evaluates licence compliance and security risk before approval.
- Cracked, unlicensed, or pirated software is prohibited without exception.
4.7 Remote Working
- A VPN connection to the corporate network is required for accessing internal systems from outside the office.
- Employees must not work on Confidential or Restricted information in public spaces where screens may be viewed by others.
- Home routers must have the default admin password changed; WPA2 or WPA3 encryption must be enabled.
5. Asset Lifecycle
5.1 Acquisition
All new hardware, software, and services must undergo a procurement security check before purchase:
- Verify the vendor’s security posture (for SaaS or cloud services, review their security documentation or certifications).
- Confirm whether the asset will process Confidential or Restricted data; if so, engage the ISM before procurement sign-off.
- For software: check licence compliance; run software composition analysis if integrating into the development environment.
5.2 Registration
- Hardware: register in Asset Inventory within 5 business days of receipt; affix asset tag; apply encryption; enrol in MDM before issuing to user.
- Software / SaaS: register in Asset Inventory at point of subscription or installation; assign a System Owner.
- Data assets: classify and register when the dataset is first created or received; assign data owner.
5.3 Use
- All use must comply with this policy and the user’s role-specific access rights.
- Data must not be processed outside the approved hosting environment without ISM approval.
- Any change in use that increases the sensitivity of an asset (e.g., a previously Internal database now containing client PII) must trigger reclassification and notification to the ISM.
5.4 Transfer
- Internal transfer of Confidential or Restricted assets: approval from the current System Owner; update Asset Inventory with new owner and location.
- External transfer of Confidential assets: must use encrypted transfer method (TLS-protected portal, S/MIME or PGP email, or encrypted file with separately delivered password); log the transfer.
- External transfer of Restricted assets: CISO approval required; logged and documented.
5.5 Disposal
Disposal of any asset that has stored Confidential or Restricted data requires a documented, verifiable process:
| Asset Type | Disposal Method | Evidence Required |
|---|---|---|
| HDD (non-encrypted) | Degauss and physical destruction by approved vendor | Certificate of Destruction from vendor |
| HDD (encrypted — BitLocker/FileVault) | Cryptographic erasure (destroy encryption key) then DBAN wipe (7-pass) | Wipe log with technician sign-off and asset tag |
| SSD / NVMe drive | ATA Secure Erase command (manufacturer tool) then physical destruction if Restricted | Destruction certificate; secure erase completion log |
| Mobile phone / tablet | MDM remote wipe; factory reset; confirm MDM shows device as wiped | MDM wipe confirmation screenshot; date and device serial number |
| Backup tapes | Physical destruction (shred or incinerate) by approved vendor | Certificate of Destruction |
| USB drives (Confidential data) | Physical destruction | Witnessed destruction log signed by ISM |
| Paper documents (Internal and above) | Cross-cut shredding meeting DIN 66399 Level P-4 minimum (4mm x 40mm particles) | Witnessed destruction; shredding service certificate for large volumes |
All disposal actions must be recorded in the Asset Inventory with the disposal date, method, and evidence reference.
6. Responsibilities
| Role | Responsibility |
|---|---|
| ISM | Maintain Asset Inventory; enforce this policy; conduct annual asset review; update classification scheme as required |
| System Owners | Register, classify, and maintain accuracy of assets under their ownership; ensure disposal is conducted per this policy |
| IT Manager | Execute secure disposal; maintain approved device and software lists; manage MDM enrolment |
| All Staff | Handle assets according to their classification; report lost, stolen, or damaged assets immediately to IT and ISM |
| HR | Trigger asset return process on staff departure; confirm return of all assets before final payslip release |
7. Review History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | March 2026 | [ISM Name] | Initial issue |