AWARE7 GmbH classifies information into four security levels, aligned with the Traffic Light Protocol (TLP), to ensure the protection of sensitive data.
Not every piece of information within a company requires the same level of protection. A public blog post demands different measures than an internal audit report or a penetration test result. Information classification creates a binding framework for evaluating data based on its value, sensitivity, and the impact of unauthorized disclosure — and for deriving appropriate protective measures.
Regulatory requirements make classification mandatory: ISO/IEC 27001 requires a documented classification scheme in Annex A (Control 5.12). The German BSI IT-Grundschutz defines protection requirement categories as the foundation for risk management. The GDPR demands appropriate technical and organizational measures for personal data protection — without classification, this appropriateness cannot be determined. And the NIS2 Directive requires risk-based information security in critical sectors, which is not achievable without classification.
Our classification scheme is aligned with the Traffic Light Protocol (TLP) — an internationally established standard for the secure exchange of sensitive information. TLP was originally developed by the British National Infrastructure Security Co-ordination Centre (NISCC) and is now used by the German BSI, the Alliance for Cyber Security, and organizations worldwide.
The principle is simple: four color levels indicate how far information may be shared — from TLP:CLEAR (free to share) through TLP:GREEN (organization-internal) and TLP:AMBER (named recipients only) to TLP:RED (strictly confidential, direct recipients only). This creates a shared understanding between all parties — employees, clients, and partners — without requiring extensive security clearance procedures.
AWARE7 GmbH classifies information into the following four levels:
Information that is freely accessible outside AWARE7 GmbH and requires no special protection.
Handling: No special protective measures required. Free to share.
Internal business information that employees need to fulfill their duties, but is not intended for third parties.
Handling: Share only with employees who have a legitimate interest. Not intended for external distribution.
Information intended only for directly affected, specifically named individuals.
Handling: This information should be transmitted encrypted whenever possible. Share only with named recipients.
Exceptional information whose unauthorized disclosure could significantly endanger the security or existence of AWARE7 GmbH.
Handling: This information may only be transmitted via end-to-end encryption.
The document contains detailed handling instructions for each security level.
Cookielose Analyse via Matomo (selbst gehostet, kein Tracking-Cookie). Datenschutzerklärung
