Classification Policy is not a mandatory document according to ISO 27001, however it is a good practice for mid-sized and larger companies to write such a document in order to cover controls A.5.12 Classification of information, A.5.13 Labelling of information, and A.8.11 Data masking.

Classification Policy typically includes the following:
- Classification steps
- Responsibilities for classification and labeling
- Classification criteria
- Confidentiality levels
- Reclassification
- Information labeling
- Rules for handling classified information
- Data masking

Examples:
For example, the Information Classification Policy could support ISO 27001 control A.8.11 Data masking by determining which data are sensitive and what categories of data need to be masked.