£199.99 £139.99 for one year of Unlimited learning. Offer ends on 14 November 2022 at 23:59 (UTC). T&Cs apply

Find out more
Information Classification
Skip main navigation

Information Classification


As part of an organization’s approach to preparing and maintaining an effective information security posture, it is necessary to determine which information needs to be protected and the level of that protection. Once this determination is made, the information can be appropriately classified.

The key to the classification process is the realization that not all information stored by the organization is sensitive. For example, how an organization treats the security of information related to the company picnic should differ substantially from how the organization treats the security of information related to the company’s finances. Classification of information determines which controls will be implemented when it comes to addressing the pillars of the CIA Triad or any other information security framework.

Organizations are increasingly able to use machine learning technologies to automatically classify and protect information. For example, products such as Azure Information Protection allow for the automatic classification and protection of data based on the evolving properties of that data. If Azure Information Protection is implemented and if a user types a credit card number into an Excel spreadsheet, the number is recognized as a credit card number, an appropriate classification is determined by the Azure Information Protection Agent, and an information protection template will automatically be applied.

While it is possible to manually classify information, automatic information classification mechanisms, especially those that utilize machine learning, have the advantage of being more consistent. It’s also possible to automatically reclassify information should a systematic classification error be uncovered, a task that would be as laborious and potentially error-prone as manually classifying information.

One of the keys to successfully implementing an information classification schema is to keep the classification rules relatively simple and to seek feedback from stakeholders within the organization who are deeply familiar with the properties of the information being classified. A simple classification scheme is more readily understood. Classification categories can often easily be extended if the existing schema is found to be too simplistic. Classification schemes should also be tested with small groups before being used more widely within the organization.

Once information is appropriately classified, organizations can then apply security controls to that information based on the classification. For example, information that is labeled “unclassified” has few security controls applied, and information labeled “legally sensitive” has stricter security controls applied.

This article is from the free online

Microsoft Future Ready: Fundamentals of Enterprise Security

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education