Data Classification
Classify data based on sensitivity and criticality.
9 of 9 frameworks cover this control
Framework Mappings
How Data Classification maps to each of the 6 cybersecurity frameworks tracked by ControlMap.
| Framework | Status | Control IDs |
|---|---|---|
| NIST CSF 2.0 | Covered | ID.AM-05 |
| ISO 27001 | Covered | A.5.10 A.5.12 A.5.13 |
| CIS v8 | Covered | CIS 3.1 CIS 3.7 |
| SOC 2 | Covered | CC6.1 CC6.5 |
| PCI DSS | Covered | 3.2.1 3.3.1 3.4.1 9.4.1 |
| CMMC | Covered | MP.L2-3.8.1 MP.L2-3.8.2 |
| 800-53 | Covered | RA-2 SC-16 |
| HIPAA | Covered | §164.312(a)(1) |
| GDPR | Covered | Art.9(1) Art.5(1)(c) |
About Data Classification
Data Classification is a cybersecurity control in the Identify domain. Classify data based on sensitivity and criticality. Data classification assigns sensitivity levels such as public, internal, confidential, and restricted to information assets, enabling organizations to apply proportionate security controls based on the data's value and regulatory requirements. A well-implemented classification scheme drives decisions about encryption, access controls, retention policies, and handling procedures throughout the data lifecycle. Organizations should establish clear labeling standards, train employees on classification responsibilities, and use automated tools such as data discovery and DLP solutions to enforce classification policies consistently.
This control is recognized by 9 of the 6 major frameworks: NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR. It has full coverage across all ${FW_KEYS.length} frameworks.