In the highly digitalized world in which we live today, information and information systems have become key assets to organizations. These assets need to be managed properly because it is difficult to safeguard assets that an organization does not know exist and does not know the value they offer. In an Information Security Management System (ISMS), asset management is an important activity as it aims at identifying, assigning ownership and adding protection to information assets. Within asset management, one activity is information classification that has the objective to ensure that information receives an appropriate level of protection in accordance with its importance to the organization. In practice, this is usually done using a classification scheme, and the result is handled as input to the risk analysis. Information classification is a well-known practice for all kind of organizations, both in the private and public sector, and is included in different variants in standards such as ISO/IEC 27002, COBIT and NIST-SP800.
However, information classification has received little attention from academia, and many organizations are struggling with the implementation. Little is known about the reasons behind why it is problematic, and how to address such issues. Furthermore, the existing methods, described in, e.g., standards do not provide a coherent and systematic approach to information classification. The short descriptions in standards, and literature alike, leave out important aspects needed for many to adopt any kind of information classification. For instance, there is a lack of detailed descriptions regarding (1) overview of procedures, and concepts, (2) which roles are involved in the classification, and how they interact, (3) how to tailor the method for different situations and (4) a framework that structures and guides the classification. If information classification is not implemented in an organization, the organization might not know what information they possess, what the value of the information is, but even if it is implemented, an unclear approach can lead to information being under or overvalued, which, in turn, lead to under or overprotected information.
This thesis aims to increase the applicability of information classification by devising a method for information classification in ISMS that draws from established standards and practice. In order to address this aim, a Design Science Research (DSR) study has been performed in five cycles. The contributions so far include an identification of issues and enablers for information classification and propose a component-based method for information classification. Furthermore, eighth design principles underpinning an information classification method are presented. Additionally, an outline for further research is provided, where the objectives are to further develop the method by addressing the context around information classification (the risk analysis and security controls), and by adding usage views to the method. Finally, a security declaration as an addition to the information classification method is outlined as a complement for tying security controls to the information classification scheme.
2017. , p. 58