Information Asset Labeling A.8.2.2 27001

C

CyberDude

Guys What is the best way to label assets. Here are the few challenges that I have faced :
1. Implementation started for a government organization and millions of printed documents of different categories scattered across different locations dating back to 1970's. Multiple owners; segregating, grouping and labeling each group will take a long time may be 20 yrs. Similar situation can be seen in banks and insurance sector where they have started accepting digital documents recently only.

2. Labeling of documents or assets also puts the sensitive assets at more risk because they become identifiable now.

Any specific thoughts on this issue ? While I understand as per Annex A this can be put under exclusion too but auditors can challenge this exclusion without a proper justification. I would like to understand the implementation of this control in broader perspective.
 

Richard Regalado

Trusted Information Resource
Guys What is the best way to label assets. Here are the few challenges that I have faced :
1. Implementation started for a government organization and millions of printed documents of different categories scattered across different locations dating back to 1970's. Multiple owners; segregating, grouping and labeling each group will take a long time may be 20 yrs. Similar situation can be seen in banks and insurance sector where they have started accepting digital documents recently only.

2. Labeling of documents or assets also puts the sensitive assets at more risk because they become identifiable now.

Any specific thoughts on this issue ? While I understand as per Annex A this can be put under exclusion too but auditors can challenge this exclusion without a proper justification. I would like to understand the implementation of this control in broader perspective.

Hello CD!

Make an exclusion statement such as "Any documented information created before [the date of the start of implementation of the ISMS] is excluded for labelling, unless that document is retrieved and used. Then, it should be labelled and marked according the relevant policies and procedures."
 
Top Bottom