Information classification
To ensure that our information management is secure, efficient and compliant with applicable laws and regulations, regular information inventories and classifications are carried out on a two-year cycle. This process helps identify and protect information within our organisation and is a central part of our information security work.
Information classification – the foundation for secure information management
Information classification helps us understand what information we hold, how sensitive it is, and how it should be handled. The goal is to ensure that information is protected at the appropriate level during storage, sharing, and use in our digital tools – especially when using cloud services, where an additional assessment must always be made.
Through information classification, we can:
- establish safer routines for information handling
- gain a better overview of information in our IT systems
- set appropriate requirements for IT and information security
- make well-informed decisions about security measures
Information classification is an important part of the university’s risk management.
How we work with information classification
The work is based on Swedish Civil Defence and Resilience Agency’s (MCF) methodological guidance and is carried out in three steps:
- Inventory information – identify what information is handled, where it is stored, and in which systems
- Classify information – based on confidentiality, integrity, and availability
- Document and follow up – to provide input for risk analyses and mitigation measures
The section for Information and IT Security Security provides support through templates, guidance, and training.
Important to know
- Information classification concerns how information should be protected, not what may be disclosed.
- Confidentiality refers to the sensitivity of information during storage and sharing – not to secrecy under the Public Access to Information and Secrecy Act (OSL).
- All handling of official documents is carried out in accordance with applicable laws and guidelines at Stockholm University.
Support and classification table
Use the classification table when creating or managing information, for example in M365, Box, or other cloud services.
When using cloud services, it is particularly important to carry out an additional assessment of the information’s level of protection and associated risks.
Download the information classification table (PDF) pdf, 601.5 kB.
Read more about personal data on the Swedish Authority for Privacy Protection (IMY)
Why it matters
When we classify information in the same way across the entire organization, we can prioritize the right security measures, use our resources efficiently, and comply with applicable regulations.
Information classification creates structure and clarity – and contributes to a more secure and resilient university.