How are classified documents marked?

Get out of the policy - get into your heads! Successful introduction of information classification in the company


published in: 2011#6, page 12

Rubric: Management and Knowledge

Keyword: information classification

Summary: Information is the most important asset of a company today - development data, strategy plans, unpublished financial statements, etc. must be protected according to their high value. But first a correct and consistently "lived" classification is necessary.

Author: By Frank von Stetten and Andreas Schnitzer, Garching

Not all information has the same value: its meaning can be defined by the damage that the company would suffer if the information fell into the wrong hands - the greater this potential damage, the stronger security measures are justified or must be taken. For advertising brochures on the Internet, it makes sense to set a different protection requirement and invest less effort than for the latest results from the research department.

In order to be able to carry out appropriate risk assessment and security measures, one first needs a categorization of the value of information. In information security, this is usually done using confidentiality classes - a typical four-level system for corporate use is shown in Table 1.

Confidentiality classes
categoryPublicInternConfidentialStrictly confidential
Potential harmBecoming aware of the information has no negative impact.Becoming aware of the information can make one low to medium damage cause.Becoming aware of the information can make one great damage cause.Becoming aware of the information can make one existential damage cause.
examplePublications, brochuresPrice lists, process descriptions, organizational chartsPersonal data, balance sheet dataDevelopment data, corporate strategy

Table 1: Typical confidentiality classes in companies

The division into confidentiality classes (information classification) also makes it clear to every user of the information what damage the company can do if the information is handled carelessly or if this information becomes known undesirably. Associated with this are generally rules and guidelines (policies) for handling classified information in order to reduce the risk of unwanted disclosure.


Figure 1: Problem of an information classification that is not "lived"

But as long as classifications and rules for handling information are only present in the policies, but not in the minds of the employees, there are still high risks for an undesired outflow of information (see Fig. 1). During and after the introduction of information classification, those responsible for information security in companies and other organizations are confronted with three major challenges, which are explained below.

Classification of information

First of all, the person responsible for information (usually a manager) assesses the damage that can occur if the information falls into the wrong hands and creates specifications for the classification according to the damage potential.

For the actual classification of information, however, the creator of the information is usually required - the respective employee should define the confidentiality class when writing an e-mail, saving construction data or drawing up a balance sheet (according to the specifications of the information officer).

However, information is in a large part of the company Not classified when it was created, since most of the creators are not even aware of the confidentiality classes and their effects on the handling of the information. As long as the classification is not integrated into the daily work flow, it is often omitted or simply forgotten.

Identification of information

As a "consequential error" of a classification that was not carried out or was incorrectly carried out, most of the information is missing the marking according to its confidentiality class, although guidelines mostly provide for this.

Handling of information

As a consequence, further processing departments - even with good will - cannot always recognize the value of information and therefore often do not deal with it in accordance with the guidelines. As a result it can happen that the information

  • is not kept sufficiently secure,
  • Becomes accessible to people who do not belong to the defined group of users,
  • transmitted unencrypted (e.g. e-mail) or
  • is not appropriately and safely destroyed during disposal.

Unfortunately, the information classification is not "lived" in many companies and the information is therefore handled incorrectly and often in a security-threatening manner due to a lack of knowledge of its value and the associated processes.

Learning effects

The solution to these essential challenges lies in a multi-stage process, which is to be explained based on the learning model of the psychologist Alfred Bandura, according to which people can achieve four unconscious and conscious levels of competence, as listed in Table 2 and explained using examples.

stepGeneral exampleFor information classification
Unconscious incompetenceYou grow up in the jungle and you don't know what a car is. You can't drive, but you don't mind either.You do not know the information classes in the company. You don't mind either.
Conscious incompetenceYou come into town and see cars. You now know that you cannot drive a car.You know there are classes of information, but you don't know how to use them.
Conscious competenceYou attend a driving school and learn to drive. However, it is still difficult for you to exercise.You will learn the meaning of the individual classes and how to use them. In everyday life, however, you rarely or never use the classes.
Unconscious competenceYou are an experienced driver who drives safely on the motorway at 180 km / h without causing an accident.Information classification is anchored in your day-to-day work and has become an automatism.

Table 2: Levels of competence according to Bandura with examples

In order to bring the information classification from Bandura's level of "unconscious incompetence" to the desired level of "unconscious competence", it is necessary to take different measures in several stages. Because a mere publication of the information security guidelines usually only reaches the level of unconscious incompetence among employees: They often do not even notice that a new policy with confidentiality classes exists.

Figure 2: Multi-level measures to anchor the information classes (based on A. Bandura's learning model)

Classical training measures from the area of ​​security awareness (e.g. classroom training, web-based training, flyers or posters) enable the creators and users of information (thus generally all employees and managers) to learn the confidentiality classes and the associated effects on handling Know about information and understand it in principle: You now know that "confidential" information must be protected better than "internal" information and that one should be careful with whom one shares which information.

Although these "general measures" are well suited for basic awareness raising, they are generally not sufficient to induce employees to actively classify information: The handling has not yet been practiced, the associated understanding of one's own work environment is still very generic .

As a third step, the security department can offer "workshops on information classification" in the departments of the information officers. In such a two-hour workshop, for example, the employees of the HR department divide their most important information into the defined confidentiality classes and, under the guidance of the department head and moderated by the security officer, discuss the different perspectives on the value of this information.

Such an active engagement with the information classification usually causes a high level of concern among the workshop participants and creates an understanding for the application of the classes in their own area.


With these steps, in principle, all important measures have been taken to bring the information classification into the minds of the employees. The biggest challenge, however, is to keep this knowledge present in the mind and to anchor it in everyday work! If you ask around from information security officers, it becomes clear that this does not succeed in most cases: Initially, employees classify the information and ensure that it is handled correctly, but within a few weeks it reverts to the old habits.

This is where information classification tools can help: Software tools from various providers are now available on the market that support the classification and identification of documents and e-mails directly during their creation. These are mostly plug-ins for the four main Microsoft Office applications: Word, Excel, Powerpoint and Outlook. Because Microsoft Office is de facto the standard application in most companies worldwide and thus represents a central element in information lifecycle management - a large part of the information is provided with Outlook e-mails, Word documents, Excel tables and Powerpoint presentations processed in companies.

The tools are integrated into the Office programs and thus enable a "guided" classification by the users and a constant reminder of their necessity. The easiest way to meet the three challenges already described is by using helpful tools

  • Documents and emails classified as they are created,
  • marked according to their class (e.g. as "confidential") and
  • Depending on the classification, certain restrictions can or must be provided (e.g. forced encryption of "confidential" information).

Figure 3: Classification tools instruct employees to classify, label and handle information as soon as it is created (in the picture: Outlook plug-in from HvS-Consulting).

Even if Office plug-ins do not capture all of a company's information, experience with users shows that the continuous anchoring of the classification in everyday work also means that other types of documents (e.g. SAP reports or drawings) are usually actively classified and marked become.


The introduction of a functioning information classification in the company is a "hard nut" that can only be cracked by combining various measures. A mix of security awareness measures and workshops can convey the necessary knowledge and understanding, software tools can help to permanently anchor this knowledge in everyday life.

Frank von Stetten is the founder and board member of HvS-Consulting AG. Andreas Schnitzer is -27001-lead auditor and -25999-auditor as well as board member of HvS-Consulting AG (

back to content
© SecuMedia-Verlags-GmbH, 55205 Ingelheim (DE),
2011#6, page 12
tag:, 2007: lp: 2011-6-A