The importance of records in information classification – “if you have not documented it, you have not done it”

Abstract

Purpose This paper aims to examine what contextual knowledge should be documented during the information classification process and how such knowledge can be structured to support information security risk management. Although many tools support documentation of basic classification outputs, they often lack functionality for capturing decision rationales or supporting classification discussions to be kept in a record. Design/methodology/approach The study used a qualitative approach. Data were collected through 16 semi-structured interviews with information security professionals and observations of 14 tool demonstrations. A thematic analysis was conducted and guided by an existing classification method based on ISO/IEC 27002. Findings The study identifies a range of contextual knowledge that practitioners consider important to document, including the classification level, decision rationale and responsible roles. Furthermore, it proposes a structured approach consisting of recommended contextual knowledge to include in a classification record, which may serve as a starting point for organisations conducting information classification. Finally, the study contributes procedural knowledge by clarifying how classification decisions are documented and what information should be retained. Originality/value This study addresses an identified gap in both research and practice by specifying what contextual knowledge should be documented during information classification. It provides practical guidance for improving documentation practices and highlights opportunities for tool development in information classification.