The main purpose of Control 5.12, Classification of information, is to ensure that protection needs are identified and understood based on the importance of information. Classification gives information a defined sensitivity or value level, such as public, internal, confidential, or restricted, depending on the organization’s scheme. This classification then drives handling rules, access restrictions, labelling, retention, transfer methods, storage requirements, encryption decisions, and disposal practices. Option B describes the purpose of Control 5.13, Labelling of information, which communicates classification and can support automated information handling. Option C describes the general purpose of access control, especially Control 5.15 and related access rights controls. Classification is foundational because the organization cannot apply proportionate protection unless it understands the value, sensitivity, criticality, legal status, and business impact of the information. ISO/IEC 27002 expects classification to consider confidentiality, integrity, availability, and relevant interested-party requirements. Therefore, option A is the verified answer because it precisely matches the purpose of classifying information. References/Chapters: ISO/IEC 27002:2022, Control 5.12 Classification of information; Control 5.13 Labelling of information; Control 5.15 Access control.
