Data Classification for ISO 27001, GDPR, NIS2 and DORA

The 2026 audit moment: “Show me the evidence”

It is February 2026, and the quarterly board meeting at a fast-growing fintech SaaS company is not going as smoothly as the CISO expected.

The company recently achieved ISO/IEC 27001:2022 certification. It has MFA, endpoint protection, vulnerability scans, access reviews, incident response procedures and a polished DORA readiness report. Then the CEO asks the question that changes the room.

“Our lead investor is asking how we can prove customer financial data is protected consistently across AWS, Azure, our SaaS support platform and the analytics warehouse. If an auditor pulls one file from object storage and another from a collaboration folder, how do we know they are governed by the same rules?”

The CISO opens the asset register. It lists databases, cloud accounts, applications, SaaS platforms and storage locations. But the classification field is incomplete. A few folders are named by department, not sensitivity. Customer exports sit beside internal reporting files. Some support spreadsheets contain customer identifiers, payment references and case notes, but they are labelled “internal.” DLP rules exist, but they trigger only on obvious patterns. The cloud policy says EU personal data must stay in approved regions, but the team cannot prove that residency rules are driven by classification metadata.

Then the compliance manager adds the regulatory angle: “Will this satisfy GDPR Article 32, NIS2 Article 21 and DORA ICT risk evidence?”

The honest answer is not yet.

This is the 2026 gap many organizations face. They have security controls, but not the governance layer that tells every control what to protect, how strongly to protect it and how to prove it. That governance layer is data classification and information labelling.

In ISO/IEC 27001:2022 terms, classification and labelling are not cosmetic document management practices. They are the practical bridge between risk assessment, access control, encryption, retention, DLP, cloud residency, supplier due diligence, monitoring and incident reporting. In Clarysec’s implementation model, they sit at the centre of the ISMS evidence chain: inventory the asset, assign an owner, classify it, label it, apply handling rules, monitor exceptions and show auditors the traceability.

Why classification and labelling are now board-level controls

Regulators and customers increasingly expect organizations to show that security measures are appropriate to the sensitivity of the data, the criticality of the service and the business impact of failure.

GDPR makes this explicit through accountability. Article 5 requires personal data to be processed lawfully, fairly and transparently, limited to what is necessary, retained only as long as needed and protected with appropriate technical and organisational measures. The controller must also be able to demonstrate compliance. GDPR Article 32 then becomes difficult to evidence without knowing which systems process personal data, which data is high risk or special category, where it is stored and which safeguards apply.

NIS2 raises the governance bar. Article 20 requires management bodies of essential and important entities to approve cybersecurity risk-management measures, oversee implementation and receive training. Article 21 requires appropriate and proportionate technical, operational and organisational measures, including risk analysis, security policies, incident handling, business continuity, supply chain security, security in acquisition and development, effectiveness assessment, cyber hygiene, training, cryptography, HR security, access control and asset management. Classification is not a separate checkbox in that list. It is the decision system that makes those measures proportionate.

DORA applies the same logic to financial entities and fintech ecosystems. Since 17 January 2025, DORA has required a documented ICT risk management framework, management body responsibility, policies for confidentiality, integrity, availability and authenticity, incident classification, resilience testing and ICT third-party risk management. For DORA-regulated financial entities, DORA can operate as the sector-specific Union legal act in place of overlapping NIS2 risk-management and reporting obligations, but the evidence expectation remains the same: show how critical information and ICT assets are identified, protected, tested, monitored and governed.

ISO/IEC 27001:2022 is well suited as the operating system for this evidence. Clauses 4.1 to 4.4 require the organization to understand internal and external issues, interested-party requirements, regulatory and contractual obligations and interfaces with other organizations. Clauses 6.1.1 to 6.1.3 require risk assessment, risk treatment, control selection, a Statement of Applicability and retained evidence. ISO/IEC 27001:2022

If GDPR, NIS2 and DORA ask, “Why did you apply these measures?” ISO/IEC 27001:2022 helps you answer, “Because these assets, data types, risks, obligations and treatment decisions led us here.”

Classification is the risk decision. Labelling is the operational signal.

Clarysec separates classification and labelling because auditors do.

Classification is the act of deciding the sensitivity, value and criticality of information. Labelling is the act of making that decision visible, persistent and enforceable in daily operations.

Clarysec’s Data Classification and Labeling Policy - SME states the purpose clearly:

This policy defines how all information handled by the organization must be classified and labeled to ensure its Confidentiality, Integrity, and Availability are maintained throughout its lifecycle.

The same Data Classification and Labeling Policy - SME requires organizations to:

Require every data asset to be classified according to its sensitivity and labeled accordingly to guide proper handling, storage, and access.

For enterprise environments, Clarysec’s P13 Data Classification and Labeling Policy defines the minimum classification model:

The organization shall maintain a standardized classification schema with clearly defined levels. At a minimum, the following classification tiers must be used: 5.1.1 Public: Information intended for open publication and unrestricted distribution 5.1.2 Internal: Non-public business information not intended for external release 5.1.3 Confidential: Sensitive business, contractual, or customer data requiring strict access control 5.1.4 Restricted (or Highly Confidential): Critical or regulated information where unauthorized disclosure could result in significant harm or legal liability

That distinction matters. A “Confidential” classification may require encryption, role-based access and contractual safeguards. A “Restricted” classification may trigger MFA, CISO approval for external sharing, enhanced logging, stronger retention governance, segregation and priority incident escalation.

The enterprise policy is explicit about operational labelling:

All information assets must be labeled in a manner that is: 6.2.1.1 Persistent: Not easily removed or overridden 6.2.1.2 Visible: Clear to users at the point of use 6.2.1.3 Machine-readable: Where possible, metadata-based tagging must be supported

Machine-readable labels are where the program matures from awareness to enforcement. If labels are metadata-based, cloud platforms, DLP systems, email gateways, identity tools, SIEM rules, CASB platforms and retention engines can act on them. If labels are only a footer in a document, they may help users, but they cannot reliably enforce rules at scale.

Where classification belongs in the Clarysec roadmap

Clarysec’s Zenith Blueprint: An Auditor’s 30-Step Roadmap places classification early in the risk management lifecycle, not after technology deployment. In the Risk Management phase, Step 9, “Identifying Assets, Threats, and Vulnerabilities,” the roadmap directs teams to inventory information assets and record owner, location and classification.

This prevents a common failure: having a cloud inventory but not an information inventory. A database, SaaS tenant or data warehouse is a technology asset. The customer records, employee files, payment logs, model training datasets, support transcripts and incident evidence inside them are information assets. Classification lives at that information level.

The Zenith Blueprint guidance on ISO/IEC 27002:2022 control 5.12, Classification of information, explains the principle:

Every information security control ever written, access restriction, encryption, backup, monitoring, or disposal, assumes one thing: that the organization knows what it is protecting. Control 5.12 requires that information be classified based on its value, sensitivity, and criticality , forming the bedrock for all subsequent decisions within the ISMS.

For ISO/IEC 27002:2022 control 5.13, Labelling of information, the same roadmap turns classification into daily behavior:

Labelling is how you convert abstract policy into operational reality. It’s the moment when a user, upon seeing a document, email, database field, or printed report, can tell at a glance: what this information is, how sensitive it is, and how it should be treated.

The final roadmap connection appears in Step 13, “Risk Treatment Planning and Statement of Applicability.” The Zenith Blueprint describes the SoA as the bridge between risks, treatments and controls. This is where classification becomes audit traceability. A risk scenario such as “unauthorized disclosure of customer financial data from shared cloud storage” can be mapped to classification, labelling, access control, encryption, logging, DLP, cloud use, supplier requirements and incident response.

The control relationships auditors expect to see

In Clarysec’s Zenith Controls: The Cross-Compliance Guide, ISO/IEC 27002:2022 control 5.12, Classification of information, is mapped as a preventive control supporting confidentiality, integrity and availability. It is associated with the Identify cybersecurity concept, Information Protection operational capability and Protection and Defense security domains.

For ISO/IEC 27002:2022 control 5.13, Labelling of information, Zenith Controls maps the control as preventive, focused on Protect, with the same information security properties and Information Protection operational capability.

The critical insight is that classification and labelling are not isolated. They make surrounding controls defensible.

Zenith Controls maps control 5.12 to GDPR Article 32 and Recital 83, NIS2 Article 21(2)(a) and 21(2)(f), ISO/IEC 27701 Annex B, NIST SP 800-53 MP-3 and PM-11, FIPS 199 and NIST SP 800-60, and COBIT 2019 DSS06.06 and APO13.01. It maps control 5.13 to GDPR Article 32, NIS2 Article 21(2)(a) and 21(2)(f), DORA Article 9(1) and 9(2), NIST SP 800-53 MP-3 and COBIT 2019 DSS06.06.

That means one evidence set can answer multiple assurance questions.

The asset register is where classification becomes evidence

Many classification programs fail because the classification scheme exists only in a policy. Clarysec’s approach begins with the asset inventory.

Clarysec’s P12 Asset Management Policy requires the asset inventory to include classification level as a minimum field:

The Asset Inventory must contain, at a minimum: 5.3.1 Asset ID, category, and type 5.3.2 Serial number or unique tag (for physical assets) 5.3.3 Software version or license key (for software assets) 5.3.4 Asset Owner 5.3.5 Classification level (Public, Internal, Confidential, Restricted) 5.3.6 Location (physical, virtual, cloud) 5.3.7 Lifecycle status (active, in maintenance, retired)

This aligns directly with ISO/IEC 27001:2022 risk planning. If you cannot identify the information asset, owner, location and classification, you cannot consistently assess likelihood, impact, treatment priority or residual risk. You also cannot confidently decide whether a supplier arrangement, cloud service or SaaS integration affects regulated information.

For GDPR, this supports accountability. Article 30 records of processing and Article 32 security measures become more credible when the asset register identifies where personal data is processed and how it is protected. For DORA, the same register supports ICT asset and service criticality, resilience testing scope and third-party dependency analysis. For NIS2, it supports risk analysis, access control and asset management.

This kind of record changes the tone of an audit. Instead of saying, “We believe sensitive data is protected,” the organization can show what the data is, who owns it, why it is Restricted, which controls apply and when those controls were last reviewed.

Labels must drive cloud and SaaS handling rules

Most sensitive data now moves through cloud platforms, SaaS applications, analytics pipelines and collaboration tools. A policy that tells users to “handle confidential data carefully” is not enough.

Clarysec’s P27 Cloud Usage Policy connects cloud use directly to classification and data residency:

Data Classification and Residency 6.6.1 No data may be moved to a cloud platform without classification in accordance with the Data Classification and Labeling Policy (P13). 6.6.2 Data residency requirements must be enforced contractually (e.g., EU-only storage for GDPR-regulated data). 6.6.3 Cross-border data transfers must comply with GDPR Chapter V and, where applicable, DORA Article 28.

This matters because cloud risk often enters through convenience. A team exports a dataset to a new analytics tool. Sales syncs customer lists to an automation platform. A developer copies production data into a test environment. Without classification and labelling, these actions may not trigger legal review, security approval or supplier checks.

The Data Classification and Labeling Policy - SME gives smaller organizations a simple implementation pattern:

Shared folders or cloud drives must use folder names or tags to indicate classification (e.g., “/Clients_Confidential”).

For mature environments, folder names should be supplemented by machine-readable labels, conditional access policies, external sharing blocks, encryption, retention labels, DLP rules and logging. The goal is not merely to label information. The goal is to make the label actionable.

A “Restricted” label might trigger external sharing blocks, encryption at rest and in transit, MFA, download restrictions on unmanaged devices, audit log retention, SIEM alerts, retention rules, supplier location limits and incident severity escalation.

The P13 Data Classification and Labeling Policy sets the baseline:

All data handling, transmission, access, storage, and disposal of information must align with its classification level. At a minimum: 6.3.1.1 Public: May be disclosed freely; no special handling required 6.3.1.2 Internal: Shared within the organization; stored in secure internal systems 6.3.1.3 Confidential: 6.3.1.3.1 Access restricted to authorized personnel only 6.3.1.3.2 Must be encrypted in transit and at rest 6.3.1.3.3 May only be shared externally under an NDA or equivalent contractual safeguards 6.3.1.4 Restricted: 6.3.1.4.1 Highest security requirements apply 6.3.1.4.2 Strong access controls, multi-factor authentication (MFA), and audit logging are required 6.3.1.4.3 Physical and logical segregation where feasible 6.3.1.4.4 External sharing is prohibited without CISO approval

Each label has a behavior. Each behavior has a control. Each control has evidence.

A practical enforcement example

Consider a fintech analyst who creates Q3_2026_Customer_Churn_Analysis.xlsx. The spreadsheet includes customer IDs, transaction volumes and predictive churn scoring.

The analyst classifies it as Confidential because it contains customer data and strategic analysis. Using the company’s information protection tool, the analyst applies the Confidential label. Because the label is persistent, visible and machine-readable, controls activate automatically.

The file is encrypted at rest on the device and in cloud storage. A visible header marks it as Confidential. When the analyst tries to sync it to a personal cloud drive, a DLP rule blocks the action and logs the attempt. When the analyst tries to email it to an external non-partner domain, the email gateway quarantines the message and alerts security operations. If the file is later reclassified as Restricted because it contains regulated financial transaction data, external sharing is disabled unless the CISO or data owner approves the exception.

This is the proof the CEO wanted. It is traceable, automated and tied to a board-approved policy. It also aligns with P27 Cloud Usage Policy, because no cloud movement is permitted without classification and cross-border transfers must meet GDPR Chapter V and, where applicable, DORA Article 28.

Build a classification-to-control matrix in one week

A full program takes time, but a focused sprint can create the evidence spine before an audit, customer review or regulatory assessment.

Day 1: Confirm the classification scheme

Start with four tiers: Public, Internal, Confidential and Restricted. Use P13 Data Classification and Labeling Policy as the baseline. Define criteria using business impact, legal impact, contractual sensitivity, personal data risk, service criticality and financial harm.

Day 2: Select ten critical information assets

Use Zenith Blueprint Step 9. Include a customer database, support ticket system, HR platform, identity provider, payment export, data warehouse, object storage bucket, board reporting folder, source code repository and incident evidence repository. Record owner, location, classification and GDPR relevance.

Day 3: Map handling rules

Define handling requirements for access, storage, transfer, monitoring and disposal.

Day 4: Configure one technical enforcement path

Choose one platform, such as a cloud document repository, email system or object storage service. Implement visible and machine-readable labels. Configure one rule for Confidential data and one rule for Restricted data. For example, require encryption for Confidential external emails and block external sharing of Restricted files.

Day 5: Update the risk register and SoA

Use Zenith Blueprint Step 13. Add classification and labelling controls to the Statement of Applicability. Link them to risks such as unauthorized disclosure, cloud misconfiguration, supplier overexposure, data retention failure and incident under-reporting.

Day 6: Test the control

Create a test file labelled Restricted. Attempt to share it externally from an unmanaged device. Confirm whether the tool blocks, warns, logs or escalates. Capture screenshots, log entries and ticket evidence. If the control fails, record the exception and remediation plan.

Day 7: Train the first-line users

Training should be role-specific. Developers need to know when production data cannot be used in test environments. HR needs to understand why employee files are Confidential or Restricted. Sales needs to know why customer exports cannot be uploaded into unapproved SaaS tools. Executives need to understand why board packs, acquisition files and investor data require stronger handling.

This sprint does not complete the whole program, but it creates the evidence spine: policy, inventory, labels, handling rules, technical enforcement, risk traceability and training.

How auditors will test classification and labelling

Auditors rarely test classification in isolation. They follow the data.

An ISO/IEC 27001:2022 auditor will connect classification to ISMS scope, interested-party requirements, legal and contractual obligations, risk assessment and the Statement of Applicability. They will expect evidence for ISO/IEC 27002:2022 controls 5.9, 5.12, 5.13, 5.14, 5.15, 5.34 and relevant technical controls. Typical evidence includes approved policies, asset inventory records, risk register entries, labelled samples, handling rules, access reviews, internal audit findings and corrective actions.

A GDPR reviewer will focus on personal data. They will ask whether personal data is identified, whether special category data is distinguished, whether retention rules align with purpose and whether Article 32 security measures are appropriate. Classification helps separate ordinary business information from personal data, sensitive personal data, confidential customer data and regulated records. Labelling helps operational teams avoid accidental disclosure, over-retention and unauthorized transfer.

A NIST CSF 2.0 assessor will likely frame classification under GOVERN, IDENTIFY and PROTECT. They may ask whether Current and Target Profiles define sensitive data discovery, whether label enforcement works across SaaS and cloud systems, whether suppliers handle data according to classification and whether monitoring priorities adjust based on sensitivity.

A COBIT 2019 or ISACA-style auditor will emphasize governance objectives, process ownership, control design and operating effectiveness. Zenith Controls maps inventory control 5.9 to COBIT 2019 BAI09.01, BAI09.02 and DSS05.04, and references ISACA ITAF 2204 and 2301. For classification, Zenith Controls maps control 5.12 to COBIT 2019 DSS06.06 and APO13.01, while labelling maps to DSS06.06. The auditor will ask who owns the process, how exceptions are approved, whether performance is monitored and whether management receives reporting.

A DORA-focused reviewer will ask which information assets support critical or important functions, which data is Restricted, which ICT third-party providers store or transmit that data, whether contracts define locations and security measures, whether testing is scoped to critical data and whether incidents are classified partly by data loss across availability, authenticity, integrity and confidentiality.

If the answers come from one classification-driven asset and supplier evidence model, audits become faster, more consistent and more defensible.

Common failure patterns

Classification failures usually happen because organizations treat labels as awareness tools instead of control signals.

First, they classify documents but not databases, APIs, logs, backups, exports or SaaS records. Sensitive data in a debug log can be as damaging as sensitive data in a spreadsheet.

Second, they label information but do not connect labels to access control. A Restricted label with open access proves that the organization knew the sensitivity and failed to enforce the handling rule.

Third, cloud migrations happen before classification. Teams move data into new SaaS tools without confirming residency, supplier terms, subprocessor access, cross-border transfer requirements or deletion rights. P27 Cloud Usage Policy directly addresses this by prohibiting movement to cloud platforms without classification.

Fourth, incident response plans ignore classification. If severity criteria do not include data sensitivity, incident teams waste time discovering what was affected during a crisis. GDPR breach analysis, NIS2 incident handling and DORA incident classification all benefit from fast data context.

Fifth, the SoA does not explain why classification and labelling controls are applicable. The organization may have implemented labels, but the SoA fails to connect them to GDPR Article 32, NIS2 Article 21, DORA ICT risk, customer contracts or specific risk scenarios.

Management reporting: make classification visible

NIS2 and DORA make cybersecurity a management accountability issue. ISO/IEC 27001:2022 also requires leadership commitment, policy alignment, resources, roles and performance reporting. Classification metrics should therefore reach management review.

Useful metrics include:

• Percentage of critical information assets with assigned owners.
• Percentage of assets with approved classification.
• Number of Restricted assets without enhanced logging.
• Number of Confidential or Restricted repositories with external sharing enabled.
• Percentage of suppliers processing Confidential or Restricted data with updated contractual clauses.
• Number of classification exceptions and overdue remediation actions.
• DLP incidents by label.
• Access review completion for Restricted assets.
• Cloud storage locations for GDPR-regulated data.
• Incident response exercises that used classification-based severity criteria.

These metrics support ISO/IEC 27001:2022 management review, NIS2 management oversight, DORA governance reporting and customer assurance. They also make classification understandable to executives. Leadership can act faster when they see that multiple Restricted repositories lack tested recovery or that critical suppliers process customer data without confirmed EU storage.

From policy to proof

The Clarysec implementation pattern is evidence-led:

1. Define the classification scheme in the P13 Data Classification and Labeling Policy or start with the Data Classification and Labeling Policy - SME.
2. Add classification to the asset inventory using P12 Asset Management Policy.
3. Apply cloud restrictions and residency requirements through P27 Cloud Usage Policy.
4. Use Zenith Blueprint Step 9 to identify information assets, owners, locations and sensitivity.
5. Use Zenith Blueprint Step 13 to map risks to controls in the SoA.
6. Use Zenith Blueprint Step 22 to implement ISO/IEC 27002:2022 controls 5.12 and 5.13 in daily operations.
7. Use Zenith Controls to map the same evidence to GDPR, NIS2, DORA, NIST CSF, COBIT 2019 and supporting standards.
8. Test label enforcement, access restrictions, logging, DLP and incident triage.
9. Report classification performance to management.
10. Review classification after major system, process, supplier or regulatory changes.

This works because classification becomes the shared language between business value, legal obligation, technical control and audit evidence.

If your organization is preparing for ISO/IEC 27001:2022 certification, GDPR assurance, NIS2 readiness, DORA customer due diligence or a combined compliance audit, start with one question:

Can you show, for every critical information asset, what it is, who owns it, where it is, how it is classified, how it is labelled, who can access it, how it is protected, how long it is retained, which supplier touches it and what happens if it is exposed?

If the answer is not yet, Clarysec can help you build the evidence chain quickly and defensibly.

Use the Data Classification and Labeling Policy - SME, P13 Data Classification and Labeling Policy, P12 Asset Management Policy, P27 Cloud Usage Policy, Zenith Blueprint: An Auditor’s 30-Step Roadmap and Zenith Controls: The Cross-Compliance Guide to turn classification from a static policy into an operational control layer for GDPR Article 32, NIS2 cyber risk management and DORA ICT risk evidence.

The best time to classify data was before the audit request arrived. The next best time is before the next cloud migration, supplier onboarding, customer questionnaire or incident.