ISO 27001 A.5.13: Labelling of information
What This Control Requires
An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.
In Plain Language
Classification is only useful if people can actually see it. A document classified as "Confidential" that carries no visible marking will inevitably get treated as if it were internal or public. Labelling makes classification actionable.
This applies to both physical and digital information. Paper documents need classification markings in headers or footers. Digital files need metadata, watermarks, or visible labels. Emails may need classification tags in the subject line. Storage media should be labelled with the highest classification of information they contain.
Be practical about it. Not every single document needs an individual label. You can define that all information on a particular system inherits a certain classification, or that public website content does not need explicit markings. The key is defining clear rules for when labelling is mandatory versus when context is sufficient.
How to Implement
Develop labelling procedures for every information format your organisation uses. Cover paper documents (header and footer markings, cover pages), electronic documents (metadata, watermarks, visual labels), emails (subject line tags, classification selectors), presentations (slide headers and footers), storage media (physical labels on USB drives, hard drives, tapes), and information systems (banner pages, login screen classifications).
Deploy tools to make labelling easy. Microsoft Information Protection (MIP) can add persistent labels and metadata to Office documents and emails. Email classification add-ins can require users to select a classification before sending. Document management systems can enforce classification tagging on upload.
Define clear rules for when labelling is required versus when it can be implied. Documents on a classified file share might inherit the share's classification. Public content on your website probably does not need individual labels. Spell out these exceptions explicitly.
Train people on how to label correctly. Provide templates with pre-configured classification headers and footers. Give guidance on what to do when they receive unlabelled information - the default should be to treat it as the higher classification until confirmed.
Audit labelling compliance regularly. Sample documents, emails, and storage media to check labels are being applied correctly. Address failures through awareness reinforcement first, and escalate through your disciplinary process if needed.
Evidence Your Auditor Will Request
- Documented labeling procedures for all information formats and media types
- Technical tools deployed to support information labeling such as MIP or email classifiers
- Samples of labeled documents, emails, and media demonstrating correct labeling
- Training records showing personnel have been trained on labeling procedures
- Audit records of labeling compliance checks
Common Mistakes
- No labeling procedures exist or they only cover one format such as paper documents
- Digital documents and emails are not labeled with classification markings
- Personnel do not consistently apply labels due to lack of training or tools
- Labeling tools are available but not mandatory or enforced
- Removable media containing classified information is not labeled
Related Controls Across Frameworks
Frequently Asked Questions
Do we need to label every single document?
What tools can help automate information labeling?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment