COBIT DSS02.01 - Define Classification Schemes For Incidents And Service Requests

by Rajeshwari Kumar


COBIT DSS02.01 focuses on defining classification schemes for incidents and service requests within an organization's IT service management framework. Properly defined classification schemes are essential for efficiently managing incidents and service requests, as they help categorize and prioritize issues based on their impact and urgency. By adhering to the guidelines set forth in COBIT DSS02.01, organizations can streamline their IT service management processes and ensure timely resolution of issues. 

Steps To Define Classification Schemes For Incidents And Service Requests In COBIT DSS02.01

Overview Of COBIT DSS02.01 

COBIT DSS02.01 is part of the COBIT 2019 framework's "Deliver, Service, and Support" (DSS) area, with a specific focus on developing classification schemes for incidents and service requests.

This approach is critical for effectively organising and managing problems and service requests. The goal is to provide a structured approach for categorising and prioritising occurrences and requests based on their importance and immediacy. This classification scheme aids in ensuring that problems and service requests are handled in a timely and uniform manner, maximising the utilisation of IT resources and improving response times. A well-defined classification scheme helps IT teams streamline the incident and service request management process by outlining how to address various sorts of situations.

Key Elements Of Classification Schemes In COBIT DSS02.01 For Incidents And Service Requests

  1. Data Classification: The classification schemes outline the various categories of data within an organization based on its sensitivity and importance. This helps in identifying the level of protection and controls required for each type of data to prevent unauthorized access or disclosure.
  1. Asset Identification: Classification schemes also include the identification of information assets within the organization, such as databases, files, and documents. This step is crucial in understanding the scope of information security management and ensuring that all assets are adequately protected.
  1. Impact Analysis: An essential element of classification schemes is conducting impact analysis to assess the potential consequences of a security breach or unauthorized access to information assets. This helps in determining the appropriate level of protection and response mechanisms.
  1. Access Controls: Classification schemes define the access controls that should be implemented to safeguard information assets based on their classification. This includes user authentication, authorization levels, and encryption measures to restrict access to sensitive data to authorized personnel only.
  1. Data Retention and Disposal: Another key element of classification schemes is outlining the retention and disposal policies for different types of data. This ensures that information assets are retained for only as long as necessary and securely disposed of when no longer needed to reduce the risk of data breaches.
  1. Compliance Requirements: Classification schemes in COBIT DSS02.01 also consider compliance requirements with relevant laws, regulations, and industry standards pertaining to data protection and privacy. This ensures that the organization is operating within legal boundaries and meeting its obligations to safeguard sensitive information.

Steps To Define Classification Schemes For Incidents And Service Requests In COBIT DSS02.01

Step 1: Identify Information and Technology Assets: The first step in defining classification schemes is to identify the information and technology assets that need to be classified. This includes data, systems, applications, and other IT assets that the organization considers critical or sensitive.

Step 2: Categorize Assets: Once the assets have been identified, the next step is to categorize them based on their importance and sensitivity. This helps organizations understand the different levels of protection required for each asset.

Step 3: Define Classification Levels: After categorizing the assets, organizations need to define the classification levels for each category. This typically includes classifications such as public, internal use, confidential, and restricted access.

Step 4: Establish Access Controls: Once the classification levels have been defined, organizations need to establish access controls to ensure that only authorized individuals have access to classified assets. This may include user authentication, encryption, and other security measures.

Step 5: Implement Data Protection Measures: In addition to access controls, organizations need to implement data protection measures to safeguard classified assets. This may include data encryption, backup procedures, and secure storage facilities.

Step 6: Monitor and Review: Finally, organizations need to regularly monitor and review the effectiveness of their classification schemes. This includes conducting audits, reviewing access logs, and updating classification levels as needed.

Best Practices For Implementing Classification Schemes In COBIT DSS02.01

  • Understand the Importance of Information Classification: Before implementing a classification scheme, it is essential to understand the importance of information classification. Information classification helps organizations identify and categorize sensitive information based on its level of confidentiality, integrity, and availability.
  • Involve Stakeholders: To effectively implement a classification scheme, it is important to involve stakeholders from various departments within the organization. This ensures that the classification scheme is comprehensive and aligns with the organization's overall objectives and requirements.
  • Define Classification Levels: In accordance with COBIT DSS02.01, organizations should define classification levels based on the sensitivity of the information. Common classification levels include public, internal use, confidential, and restricted. Each level should have clear criteria for determining the classification of information.
  • Develop Clear Policies and Procedures: Clear policies and procedures are essential for the successful implementation of a classification scheme. These documents should outline the responsibilities of employees, the process for classifying information, and the appropriate handling and storage of classified information.
  • Implement Security Controls: Security controls play a vital role in protecting classified information from unauthorized access. Organizations should implement appropriate security controls, such as access controls, encryption, and monitoring, to safeguard classified information.
  • Provide Training and Awareness: Employee training and awareness are key components of a successful classification scheme implementation. Employees should receive training on how to classify information, the importance of information security, and their roles and responsibilities in protecting classified information.
  • Regularly Review and Update the Classification Scheme: Information classification is not a one-time process; it requires regular review and updates to reflect changes in the organization's business environment and information security requirements. Organizations should periodically review and update the classification scheme to ensure its effectiveness.


Defining classification schemes for incidents and service requests is a critical aspect of ensuring effective IT governance. COBIT DSS02.01 provides a framework for establishing these schemes and is essential for maintaining a structured and organized approach to incident and service request management. By adhering to the guidelines outlined in COBIT DSS02.01, organizations can enhance their incident management processes and ensure timely resolution of issues.