CIS Control 3.7: Establish and Maintain a Data Classification Scheme
Data classification is the foundation of effective information security. By labeling data as Sensitive, Confidential, or Public, you create a common language for protecting what matters most. Without clear classification, teams can't apply the right security controls—and auditors can't verify compliance.
What this means
This control requires you to create and maintain a formal data classification scheme across your organization. Classification labels should reflect the sensitivity and risk level of data, with common categories including Public (no harm if disclosed), Confidential (significant harm if disclosed), and Sensitive (severe harm if disclosed). The scheme must be documented, communicated to all personnel, and applied consistently across systems, databases, and applications to ensure appropriate protection levels are enforced.
How to comply
- 1.Define 3–5 data classification labels based on your organization's risk profile and regulatory requirements
- 2.Document the classification criteria, examples, and handling requirements for each label
- 3.Identify and inventory all data types, systems, and repositories in your environment
- 4.Assign a classification label to each data category using your defined scheme
- 5.Communicate the classification scheme to all employees and embed it in data handling policies
- 6.Map classification labels to specific protection controls (encryption, access restrictions, retention rules)
- 7.Implement technical or procedural mechanisms to enforce classification (metadata tagging, DLP tools, access controls)
- 8.Review and update the classification scheme annually or when new data types or regulations emerge
- 9.Train personnel on proper data classification and handling responsibilities
Evidence auditors look for
- Documented data classification policy with defined labels and criteria
- Data inventory spreadsheet or database with assigned classification levels
- System or application configurations enforcing classification rules (e.g., encryption for Sensitive data)
- Employee training records and acknowledgments of classification policy
- DLP or metadata tools showing data tagged with classification labels
- Audit logs demonstrating enforcement of classification-based access controls
- Annual review or update records for the classification scheme
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates data discovery and classification tagging across your infrastructure, eliminating manual inventory work and ensuring consistent labels tied directly to your access control policies.
See how GRCWatch handles this control automatically
Start free trial