Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
“An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.”
Plain-language meaning
If information is classified, people need a practical way to see or infer the classification so they can handle it correctly.
Labelling makes classification visible enough to drive behavior. It can be explicit, such as a document footer, or contextual, such as a rule that everything in a restricted environment is treated as a specific classification.
Why this matters
Classification without labelling is easy to mishandle. Users may forward, print, store, or dispose of information incorrectly because the classification is not visible at the point of use.
Labelling helps with:
- access decisions;
- handling decisions;
- secure transmission;
- secure storage;
- secure printing;
- disposal;
- recipient awareness;
- external sharing.
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
1. Align labels to the classification scheme
Labelling procedures should match A.5.12 Classification of Information.
For each classification, define:
- whether labelling is required;
- where the label appears;
- who applies it;
- whether expiry or review dates are used;
- what happens when information changes format;
- how external labels are interpreted.
2. Label information in forms that users actually handle
Examples:
| Format | Labelling approach |
|---|---|
| Bound documents | Classification on cover and key pages |
| Loose paper | Classification on every page where practical |
| Digital documents | Header/footer, metadata, sensitivity label, document property |
| Subject marker, banner, sensitivity label, DLP rule | |
| Folders or repositories | Folder-level classification where content is consistent |
| Databases or systems | System or environment classification rule |
| Removable media | Physical label plus encryption/control record |
| Backups | Label based on most sensitive contained information |
The label should represent the most sensitive information in the container where practical.
3. Preserve labels when information changes form
Labelling procedures should address:
- printing digital documents;
- converting files to PDF;
- forwarding emails;
- exporting reports;
- copying data to removable media;
- moving data between systems;
- sharing externally.
If labels disappear during format changes, the control fails at exactly the point mishandling becomes likely.
4. Handle cases where visible labels create risk
Sometimes obvious labels can help attackers identify the most valuable information.
In those cases, the organization may use disguised, restricted, or role-specific labelling. That only works if distribution is tightly controlled and the people handling the information are trained.
Do not use “labels might attract attackers” as an excuse for no labelling process. That is weak unless there is a controlled alternative.
5. Interpret external labels carefully
Different organizations may use similar labels with different meanings.
Before relying on external labels:
- confirm what the label means;
- map it to internal handling rules;
- ensure recipients understand your labels;
- document agreed handling in contracts or exchange procedures.
6. Use expiry or review dates where useful
Some information stops being sensitive after a date or event.
Examples:
- financial results after public release;
- project details after launch;
- tender information after award;
- incident details after public disclosure.
Expiry dates can avoid unnecessary protection cost and reduce over-classification.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should confirm that labelling procedures exist, match the classification scheme, and work in practice across physical and digital formats.
Audit tests:
- sample classified documents and check labels;
- sample loose pages, printouts, emails, folders, repositories, and removable media;
- check whether labels survive printing or export;
- check whether system/database labels represent the most sensitive contained information;
- check whether external labels are understood;
- inspect whether labels are prominent and durable enough;
- interview users to confirm they understand what labels mean.
Evidence examples
Evidence quality
Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.
| Evidence | What it proves |
|---|---|
| Labelling procedure | Labelling rules are documented |
| Classification scheme | Labels align to classifications |
| Sample labelled documents | Physical/digital labels are applied |
| Sensitivity label configuration | Technical labelling is implemented |
| Email/DLP label settings | Labels support transmission controls |
| Repository classification rules | Folder or environment-level labels are defined |
| Training records | Users understand labels |
| External data exchange procedure | Third-party labels are interpreted |
| Review or expiry records | Labels are updated when sensitivity changes |
Strong evidence
- Labelling procedure maps clearly to classification levels.
- Labels are visible at the point of use.
- Digital and physical formats are covered.
- Labels persist across printing, export, email, and transfer where practical.
- External labels are mapped to internal handling requirements.
- Highly sensitive information has controlled labelling and distribution.
- Users understand how to apply and interpret labels.
Weak evidence
- Classification exists but no labelling procedure.
- Labels appear only on cover pages while loose pages are unmarked.
- Digital labels disappear when printed or exported.
- Folder labels conflict with document content.
- External labels are accepted without interpretation.
- Adhesive labels fall off physical media.
- Users do not know what labels require them to do.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| Labelling not aligned to classification | Labels do not drive correct handling |
| Digital formats ignored | Most information remains unlabelled |
| Labels lost on print/export | Information is mishandled after format change |
| Label indicates lower sensitivity than contents | Container is under-protected |
| External labels not mapped | Third-party information is mishandled |
| Labels too visible for sensitive covert material | Attackers can identify high-value targets |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- Labelling supports classification; it is not the same as classification.
- Labelling must suit the form of information.
- Digital information can be labelled through metadata, sensitivity labels, folders, repositories, or system-level rules.
- Labels should remain with information when it changes form where practical.
- The label should represent the most sensitive information in the container.
- Sometimes visible labelling can create risk; alternative controlled approaches may be justified.
Related controls and concepts
- A.5.12 Classification of Information
- A.5.10 Acceptable Use of Information and Other Associated Assets
- Information Classification and Handling Matrix
- Information and Associated Asset Inventory
- Risk Assessment
- Internal Audit
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.13 requires procedures for labelling information in line with the classification scheme. Labelling should make classification visible or otherwise actionable across physical, digital, transmitted, stored, printed, and transformed information so users apply the right handling controls.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Labelling
- Classification
- Information handling
- Audit
Note Metadata
Aliases: A.5.13, Labelling of Information
Source: 02 Annex A Organizational Controls/A.5.13 Labelling of Information.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
8
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- ISO27001 ISMS KB - Start Here
- Internal Audit
- Risk Assessment
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.5.15 - Access Control
- A.5 Organizational Controls MOC
- ISO 27001 A.6.6 - Confidentiality or Non-Disclosure Agreements
- ISO 27001 A.7.10 - Storage Media
- ISO 27001 A.7.7 - Clear Desk and Clear Screen
- A.5.12 Audit Evidence Pack
- A.5.13 Audit Evidence Pack
- AQ-ISO27001-A.5.13 Labelling of Information
- ISO 27001 A.8.11 - Data Masking
- ISO 27001 A.8.12 - Data Leakage Prevention
- ISO 27001 A.8.3 - Information Access Restriction
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.13 Labelling of Information
- A.5 Controls Implementation Audit Risk Mapping
- ISO 27002 Annex A Control Interpretation Map
- A.5.13 Audit Checklist
- Acceptable Use and Information Handling Rules
- Clear Desk and Clear Screen Checklist
- Confidentiality Agreement Register
- Information and Associated Asset Inventory
- Information Classification and Handling Matrix
- Information Transfer Rules Matrix
- Storage Media Handling Procedure
- Annex A Controls MOC