For ISO 27001, data classification is a compulsory part. Guidelines for data sanitization, like NIST 800-88, and norms for data destruction, like ISO/IEC 21964, refer to categorization of information and information systems.
Large government and military organizations are familiar with the concept of data classification. In the past few years data classification has become a basic element in risk management for other public and private organizations. Data classification has shifted from being “nice” to have to becoming a necessity. That tendency has been accelerated by the GDPR for companies handling data from EU citizens. Now private companies and organizations are adopting and implementing data classification based on methods and schemas that worked well for the public sector.
But what is the difference between data classification and categorization? How is it defined in relation to sanitization through different standards? Why is the NIST insisting on categorization of systems as a starting point for the sanitization of media? And is ISO 21964 similar to NIST?
Read more in our PDF which you can download for free: