How to implement the classification system

What steps should you take? 

At the highest level, all agencies that use the Classification System should:

  • familiarise themselves with the policy
  • assess any gap between the policy requirements and their existing policy and processes
  • agree any actions required to address that gap.

Agencies should also consider whether their culture and ways of working are aligned to the policy’s intent. The reasons why information is not shared are often as much cultural as procedural. Some agencies will not be able to make significant change to how they share information without addressing cultural factors that inhibit information sharing.

The table below indicates the possible activities, within each area, that agencies should make to adopt the Classification System:

Assess policy change  
Assess impact of changes on current protective security policies, procedures, and practices. The first step for all agencies should be to review the new Classification System policy and assess whether existing policies and procedures are fit for purpose.
Assess gap between current practices and the agency’s desired future state. Agencies need to decide what changes they are going to make in response to the changes. The amount of change should be proportionate and take into consideration current maturity and business need.
Plan [and deliver] work to implement any required changes. For some agencies, delivering these changes may require a plan and resources to ensure changes are implemented on time.
Assess behavioural change  
Assess current culture, especially with regard to information sharing. Agencies have different tolerances for information sharing and should begin by assessing their current culture towards the sharing of information.
Assess gap between current information sharing culture and desired future information sharing culture. Agencies need to consider if their current culture enables them to share information in the way they would like to. If it is not, agencies should agree what change they think is necessary.
Confirm leadership is committed to any desired culture change. Any behavioural change is hard and is unlikely to succeed if led by practitioners alone. If agencies need to make substantive change to embedded ways of working, they will only succeed if this has strong commitment from leaders.
Plan [and deliver] work to implement any required changes. Agencies need to consider how any behaviour change can be built into their planned work. This may require specialist change management and communications support.
Assess training material  
Review and adopt centrally developed Classification System education and training packages. The training modules are designed to be directly adopted. However, agencies may wish to deploy the modules within their own Learning Management Systems, especially as this will give them the capability to record attendance and completion.
Choose whether to adapt and customise training modules and/or develop agency-specific training. The training modules are designed to be generic. Agencies may feel they can be made more meaningful if they are adapted, for example with more examples that are specific to the agency and with the inclusion of additional information. This will require time and resource from their own Learning and Development teams and security practitioners to develop/update content.
Plan [and deliver] training. Once training materials are developed, agencies will need to integrate these with their existing training requirements (this may require the content to be adapted).

How to assess and manage the change impacts

Some agencies have requested advice on how to introduce change. The need for change management support varies widely between agencies.

At the low end, some agencies have asked only for clear guidance and education materials and have all the necessary capability to roll this out themselves.​

At the high end, some agencies have requested much more specific help with tools, templates and processes.​

A Change Toolkit has been developed to provide agencies with a reminder of the broad change management steps that any organisation should take to give the best possible chance of success/adoption.

It is not intended to be prescriptive or to deliver a comprehensive set of change management tools. The toolkit contains an organisational assessment and communications guidance.

The organisational assessment allows agencies to assess their current maturity in using the Classification System, agree their future maturity and identify what high level changes they will need to make. The assessment is specifically targeted at assessing maturity in using the Classification System. The organisational assessment is tailored to classification issues and is applicable to all agencies. This provides an objective basis for agencies to assess their current maturity and assess whether this is adequate.

The Communications Guidance provides some support for agencies to consider:

  • What groups of people in their organisation will be affected by changing the classification policy
  • What is the best way to communicate with them
  • What they should feel, think and do after the new policy is rolled out.

The communications guidance provides some support for agencies looking for help in how to deliver change. Agencies with specialist resources and capability in delivering change will probably use their own resources and methodology to deliver change.

Implementation roles and capabilities  

The resource available to support implementation of the classification system policy will vary from organisation to organisation. In general, the more minor the change to existing practice, the less support will be required. For example, small changes to policy can be introduced by practitioners successfully.

However, for some agencies to achieve the policy objectives, they may need to confront legacy cultures, systems and processes that have become engrained and often actively resist information sharing. Change of this nature is dependent on leadership, people who are experienced in delivering change and a commitment to stay the course.

Failed change initiatives can be costly and often result in the desired change being deprioritised for years to come. It is important that agencies strike a pragmatic balance between what change is desirable and what change is probable to succeed.

Depending on the size of the change, you may need people with the following capabilities:

  • classification and information security – for classification and security policies and practice implementation
  • information management – for information sharing and declassification policies and programme implementation
  • learning and development – for classification training adoption, adaptation, and implementation
  • organisation change management – for understanding, planning, and carrying out key communication and change management to drive the culture change needed and measuring how well the change has been achieved.