Labelling of Information
Plain English Translation
ISO 27001 Annex A.5.13 ensures that once information is classified (e.g., as 'Confidential'), it is clearly marked so everyone knows how to handle it. This involves applying visual markings to physical documents (like 'Internal Use Only' stamps) and digital metadata or tags to electronic files. The goal is to make the sensitivity of the information immediately apparent to any user or system handling it, preventing accidental misuse or disclosure.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Define a simple file naming convention that includes classification (e.g., 'ProjectX_Confidential.docx')
- Manually add headers/footers to sensitive documents
Required Actions (scaleup)
- Implement mandatory cloud resource tagging (e.g., 'classification:restricted')
- Deploy basic email tips or warnings for external sending of labelled data
Required Actions (enterprise)
- Automate labelling using tools like Microsoft Purview Information Protection
- Integrate labelling metadata with DLP solutions to block unauthorized transfers automatically
It is an organizational control requiring the development and implementation of procedures to label information assets, ensuring their classification level is easily identifiable.
In the 2013 version, this was control A.8.2.2; the 2022 update renumbers it to A.5.13 under Organizational controls, but the core requirement to label information remains consistent.
Develop a procedure that specifies how to mark physical documents (e.g., stamps), digital files (e.g., headers, metadata), and screens, aligning these marks with your classification scheme.
ISO 27001 does not mandate specific levels, but standard practice involves labels such as 'Public', 'Internal Use', 'Confidential', and 'Restricted' to denote varying sensitivity.
Control A.5.12 defines *what* the categories are (the scheme), while A.5.13 defines *how* those categories are visually or digitally attached to the assets (the labels).
Auditors look for a Data Management Policy including labelling rules, and visual evidence like screenshots of cloud resource tags or physical documents with classification headers. WatchDog Security's Compliance Center can help organize these evidence items against A.5.13 and highlight gaps where required labelling artifacts are missing or outdated.
Yes, Microsoft Purview is an excellent tool for A.5.13 as it applies both visual markings and metadata to files, automating the labelling process.
Common mistakes include over-labelling public data, failing to label physical printouts, or having inconsistent labelling conventions across different departments.
Yes, the control applies to 'information' in all forms, meaning physical papers, removable media, and screens must also be labelled or marked appropriate to their sensitivity.
Metadata labels (like cloud tags) allow automated systems to read the classification, enabling technical controls like DLP to enforce security rules without human intervention.
Labelling programs often stall because teams define labels but don't consistently apply them across the assets that store and process information, so audit samples become inconsistent. WatchDog Security's Asset Inventory helps by recording classification context for key information assets and systems, giving teams a structured place to track which repositories and platforms should carry labels and where coverage is missing.
A.5.13 evidence can become scattered across screenshots, tickets, and ad-hoc exports, making it hard to show a repeatable process over time. WatchDog Security's Compliance Center helps by mapping A.5.13 to evidence requirements and tracking gaps, so you can store and retrieve labelling artifacts (like tagging samples and procedure approvals) in a consistent, audit-friendly structure.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-17 | WatchDog Security GRC Team | Initial publication |
