Data Classification

Data classification is the practice of categorizing information based on sensitivity so that appropriate protections can be applied. Most classification schemes use three or four levels such as Public, Internal, Confidential, and Restricted, with each level defining required handling controls for storage, transmission, access, and disposal. SOC 2 audits expect a documented classification policy, evidence that data is actually labeled according to the policy, and verification that the controls associated with each level are enforced. Common classification-driven controls include encryption requirements for Confidential and Restricted data, restricted access lists for Restricted repositories, prohibitions on copying sensitive data to personal devices, and specific disposal requirements for media containing protected information. Classification is foundational for the Confidentiality and Privacy Trust Services Criteria but also informs Security controls. Auditors test classification by sampling data stores, verifying labels match content, reviewing access logs against classification rules, and confirming disposal records exist for retired media containing classified data.