Classification Policy is not a mandatory document according to ISO 27001, however it is a good practice for mid-sized and larger companies to write such a document in order to cover controls A.5.12 Classification of information and A.5.13 Labelling of information.

Classification Policy typically includes the following:
- Classification steps
- Responsibilities for classification and labeling
- Classification criteria
- Confidentiality levels
- Reclassification
- Information labeling
- Rules for handling classified information
- Data masking