Microsoft 365 Sensitivity Labels – Sample Taxonomy

by

in

When working with clients to deploy Syskit Point, we often encounter a recurring challenge: selecting the right sensitivity labels taxonomy for their Microsoft 365 environments.

Many organizations struggle to define a framework that balances security needs with ease of use for employees. Over the years and through numerous client engagements, we’ve identified the most common and effective sensitivity labels used in Microsoft 365 deployments.

In this post, I am sharing some of those real-world examples to help guide you in building your own tailored sensitivity label taxonomy.

TestSensitivity LevelDescriptionApplicable IndustryCompany SizeSource
PublicLowFreely shareable information (e.g., marketing materials).GeneralSmall/MediumISO 27001, NIST SP 800-53
InternalLowInternal use, not highly sensitive (e.g., meeting notes).GeneralSmall/MediumISO 27001, NIST SP 800-53
ConfidentialMediumSensitive data like contracts or financial reports.GeneralSmall/MediumISO 27001, NIST SP 800-53
Highly ConfidentialHighCritical information, e.g., legal or personal data.GeneralSmall/MediumISO 27001, NIST SP 800-53
Unrestricted/PublicLowNo risk data, can be shared with external parties.GeneralLargeGovernment compliance
Low SensitivityLowGeneral internal information (e.g., policy documents).GeneralLargeISO 27001
Private/Internal-Use OnlyMediumSensitive internal data (e.g., personnel files).GeneralLargeISO 27001
Restricted/ConfidentialHighHighly sensitive info like client or audit data.GeneralLargeISO 27001
Top Secret/ClassifiedTop SecretCritical and classified data, risk of serious consequences if leaked.Government/DefenseLargeGovernment/Defense standards
Public Health Information (PHI)LowPublic health statistics, open health advisories.HealthcareAllHIPAA
Internal OperationsLowGeneral internal operations, without sensitive PHI.HealthcareAllHIPAA
Confidential Medical RecordsMediumPatient health data, subject to HIPAA regulations.HealthcareAllHIPAA
Regulated/Highly ConfidentialHighStrictly regulated medical information or trial data.HealthcareAllHIPAA
Public Financial InformationLowFinancial data available in public reports.Financial ServicesAllSOX, GDPR
Internal Financial DataLowInternal operational data, e.g., budget plans.Financial ServicesAllSOX, GDPR
Confidential Client InformationMediumClient-sensitive data like loan applications.Financial ServicesAllSOX, GDPR
Highly RestrictedHighData related to internal audits, proprietary algorithms.Financial ServicesAllSOX, GDPR
ProprietaryMediumCompany intellectual property or trade secrets like product designs or software.Manufacturing, TechAllISO 27001, Intellectual Property Law
Client ConfidentialMediumData shared by clients under confidentiality agreements, such as contracts.Legal, ConsultingAllClient Contracts, GDPR
Export ControlledHighInformation subject to export control laws (e.g., technical drawings or software).Defense, AerospaceLargeITAR, Export Compliance
Board MaterialsHighDocuments for the board of directors, including strategic plans and financials.AllMedium/LargeCorporate Governance
Legal HoldHighData preserved due to ongoing legal proceedings like emails and contracts.Legal, CorporateAllE-Discovery, Legal Compliance
Sensitive Personal DataHighPersonally identifiable information (PII) subject to regulations like GDPR.AllAllGDPR, CCPA
Contractual InformationMediumData contained in contracts with third parties or suppliers.Legal, ProcurementAllContract Law
HR ConfidentialMediumEmployee data, including performance reviews and salary information.AllAllEmployment Law, GDPR
Research & Development (R&D)HighSensitive data related to product or service innovation or lab results.Pharmaceuticals, TechMedium/LargeResearch Confidentiality Agreements
Investor RelationsMediumDocuments shared with investors, including earnings reports and forecasts.Finance, Public CompaniesMedium/LargeSEC Regulations, Financial Reporting
Crisis ManagementHighPlans for crisis response, including communication strategies and risk assessments.AllAllRisk Management Standards
Restricted Intellectual PropertyHighPending patents, proprietary technologies in development.Tech, BiotechAllIntellectual Property Law
Supplier InformationMediumConfidential data about suppliers, including pricing or proprietary details.Manufacturing, RetailAllContract Law
Sensitive Financial DataHighSensitive financial records like loan agreements or risk assessments.Finance, InsuranceLargeSOX, Financial Regulatory Standards
Government RestrictedTop SecretGovernment-classified information like military contracts or state secrets.Defense, GovernmentLargeGovernment Classification Standards


Hey there! I’m Toni, the Co-Founder and CEO of Syskit, creators of Syskit Point and SPDocKit. Welcome to Toni on Tech, where we explore the ever-evolving world of software, technology, and business.