Data and privacy



Classification of information

Information should be categorized based on legal needs, its importance, critical nature, and vulnerability to unauthorized disclosure or modification.

Labelling of information

An appropriate set of procedures for labeling information must be created and implemented according to the organization’s classification scheme.

Handling of assets

Procedures for asset handling should be developed and enforced in line with the organization’s classification scheme.

Management of removable media

Procedures for managing removable media should be implemented following the classification scheme adopted by the organization.

Disposal of media

When no longer needed, media should be disposed of securely using formal procedures.

Physical media transfer

During transportation, media containing information must be protected against unauthorized access, misuse, or corruption.

Information transfer policies

Formal policies, procedures, and controls should be established to secure the transfer of information through all communication channels.

Agreements on information transfer

Agreements should ensure the secure transfer of business information between the organization and external parties.

Protection of records

Records must be protected from loss, destruction, falsification, unauthorized access, and release, in compliance with legal, regulatory, contractual, and business requirements.

Privacy and protection of personally identifiable information

Privacy and protection of personally identifiable information must be guaranteed as required by relevant laws and regulations.