top of page
  • Writer's picturevitormaleite

Classify information? Why bother?

Updated: May 5

Before we delve into the subject of this article, it's crucial to reflect on something highly important, as illustrated in the image below:

I love this illustration because, despite its simplicity, it conveys a lot of information. Shall we expand on it?

Every business, in its value chain, generates and processes information all the time, which can be found in reports, indicators, projects, financial statements, budgets, contracts, source code – the examples are countless.

To ensure the security of this information, we need to strike a balance between the three pillars: People, Processes, and Technology. To illustrate this balance, consider a Project Manager consolidating the status report of vulnerabilities identified in a penetration test conducted by a third-party company that was hired. Due to the sensitivity of the information in this report, it should only be accessible to those responsible for the systems involved in the tests, stored in authorized corporate locations, and sent to stakeholders only through encrypted means. But how do we know this? What can guide us in our daily routines on how this information should be handled and protected?

The answer lies in Information Classification. As the ABNT/NBR 27002:2022 itself indicates on page 27, section 5.12 Information Classification, its purpose is:

[...] Ensure the identification and understanding of information protection needs according to their importance to the organization [...]

Knowing this, if we revisit the fictional scenario we outlined, assuming that the company where the Project Manager works has a section in its Information Classification Policy with the descriptors below, how would you classify the vulnerability status report?:

Formato Digital






Information can be accessed by a specific group of people

Information can be accessed by all employees of the organization.

Information can be accessed by all team members


It must be transmitted to the specific group of people only through encrypted means

It must be transmitted to all employees only through encrypted means.

It should be transmitted to team members only through encrypted means


It can be stored only in the restricted corporate Sharepoint accessible to the specific group of peoples

It can be stored, for example, in th e company's document and intranet systems

It can be stored exclusively in the corporate Sharepoint restricted to members of your team


it must be securely removed using the 'XYZ' software

It can be removed using the standard operating system procedure

It should be securely removed using the "XYZ" software


If information is accessed by unauthorized individuals, whether accidentally or intentionally, it can result in financial, operational, reputational, legal, and security impacts for the company

If the information is accessed by unauthorized individuals, whether accidentally or intentionally, it can have legal and reputational impacts on the company

If the information is accessed by unauthorized individuals, whether accidentally or intentionally, it can cause operational, reputational, legal, and security impacts on the company


Health Data, Regulated Data, Financial Statements, Strategic Planning, Testing and Analysis Reports

Announcements, informative materials, and policy, process, norm, and procedure documentss

Projects, indicators, meeting minutes






If you answered 'Confidential,' you got it right.

As the report is intended for a specific group of people, the Project Manager, after presenting it to the system owners, should classify it as Confidential when sending it via email, as well as the report itself. Assuming that the fictional company in question uses Microsoft solutions, in the email and for the file, it would look something like this:

This way, no one other than the system owners will be able to access the file on the sent SharePoint. Furthermore, by selecting the email as 'Confidential,' behind the scenes, the behavior is that the email will be encrypted.

How beautiful is that?

Obviously, with the technology behind it, in the example I provided, Microsoft Purview, for didactic purposes, would make things much easier. Still, it's clear that it can be done without robust technologies. It might be more laborious, but the message I want to convey is that regardless of how it will be implemented, your company needs to have a policy and information classification process to ensure that information is handled securely throughout its life cycle.

For more details on the topic, I recommend consulting the references below:

ABNT/NBR 27002:2022

5.12 - Information classification

5.13 - Information labeling 5.14 - Information transfer

CIS Control 3 - Data Protection




= )

1 view0 comments


bottom of page