psjenkins/ISMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
881b2bf2bcd7b1053d66f58e0fb522118a672f19
ISMS/01-policies/data-classification-and-handling-policy.md
Paul Jenkins 5eade2d99b Initial commit
2026-03-26 09:35:22 +00:00

2.4 KiB
Raw Blame History

Title: Data Classification and Handling Policy Document ID: [POL-DATA-CLASS-001] Version: 0.1 Draft Status: Draft Owner: CISO (Paul Jenkins) Approver: CEO (Paul Hague) Classification: Internal Effective date: [DD Month YYYY] Review date: [DD Month YYYY]

Data Classification and Handling Policy

Purpose

This policy defines how BlackDice information must be classified, labelled where appropriate, handled, shared, stored, retained, and disposed of.

Scope

This policy applies to all information created, received, processed, stored, or transmitted within the ISMS scope, regardless of format or location.

Objectives

  • ensure information receives protection appropriate to sensitivity and business need
  • support consistent handling decisions across teams and systems
  • reduce the risk of inappropriate disclosure, alteration, or loss

Principles / Policy Statements

Information must be classified according to its sensitivity, business impact, legal obligations, and contractual requirements.

Handling requirements must align with the assigned classification and apply to storage, access, transfer, retention, and disposal.

Sensitive information must be protected when used in cloud services, engineering workflows, support processes, and customer assurance activities.

Data exports, logs, telemetry, and support artefacts must be reviewed to avoid unnecessary exposure of sensitive or regulated information.

Information shared with suppliers, customers, or operator-hosted environments must be subject to defined handling requirements and appropriate controls.

Roles and Responsibilities

  • Information owners must assign classifications and handling requirements where appropriate.
  • Users must handle information according to classification and approved process.
  • [Role] must maintain the classification framework.

Compliance / Exceptions

Exceptions to standard handling requirements must be formally approved where justified by business need and documented risk.

Monitoring and Review

This policy should be monitored through incident trends, transfer controls, retention practices, supplier review, and audit.

Related Documents

  • Information Security Policy
  • Information Transfer Policy
  • Privacy and Data Protection Policy
  • Data Retention Standard

Version Control

Version Date Description of Change Author
0.1 Draft [DD Month YYYY] Initial draft. [Name or Role]
Reference in New Issue View Git Blame Copy Permalink