1. Define your classification levels

Start by selecting and naming the levels you will use, commonly something like Public, Internal, Confidential, and Restricted (or equivalent). For each level, add a short, plain‑language definition that captures how sensitive the data is and what would happen if it were exposed, changed, or lost.

Keep the number of levels manageable (usually three to four) so users can choose confidently without overthinking. Too many levels make classification hard to apply in practice.

2. Set criteria and examples for each level

Next, describe the criteria for assigning data to each level, for example, “contains customer PII,” “disclosure would cause financial loss,” or “approved for public distribution.” Add concrete examples: product marketing pages, internal roadmaps, CRM records, employee HR files, production database backups, etc.

These examples play the same role that risk categories and descriptions play in the risk register template: they help users apply the framework consistently across teams.

3. Define roles and responsibilities

In the template’s roles section, specify who:

1. Owns the policy (often Security or GRC)
2. Acts as data owners for key systems or datasets
3. Maintains the data inventory and classification records
4. Enforces handling rules and responds to violations

This is your equivalent of assigning risk owners and an overall register owner in the risk register guide. Clear ownership prevents classification from becoming “everyone’s job and no one’s job.”

4. Document handling requirements for each level

For each classification level, define the minimum required controls in the template. Typical dimensions include:

1. Who may access the data (roles/groups)
2. Where it may be stored (approved systems, regions)
3. How it must be protected (encryption in transit/at rest, MFA, logging)
4. How it can be shared (internal only, with NDAs, public)
5. How long it must be retained and how it is disposed of

This section is where classification ties directly into other policies, such as access control, backup, incident response, and acceptable use.

5. Describe your data inventory and classification process

Use the template to outline how you will maintain an inventory of systems and datasets and record their classification. At a minimum, describe:

1. How new systems or data sources are onboarded and classified
2. How existing systems are reviewed and updated
3. How changes (like new data fields or integrations) trigger re‑classification

This aligns directly with DATA‑1, which requires you to define and document a process to classify all data and systems and maintain an inventory.

6. Set review and update cadence

Finally, fill in the review and maintenance section of the template. Define:

1. How often the policy itself is reviewed (for example, annually)
2. When classification or inventory updates are required (e.g., new system launches, regulatory changes, M&A, large product changes)
3. Who is responsible for carrying out and documenting those reviews

Just like a risk register, your classification policy should be a living document that evolves with your business, not a one‑time exercise.