UnixTime

Research Note

ISO 27001 A.5.13 - Labelling of Information

If information is classified, people need a practical way to see or infer the classification so they can handle it correctly.

On this page

Requirement

Requirement lens

Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.

“An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.”

Plain-language meaning

If information is classified, people need a practical way to see or infer the classification so they can handle it correctly.

Labelling makes classification visible enough to drive behavior. It can be explicit, such as a document footer, or contextual, such as a rule that everything in a restricted environment is treated as a specific classification.

Why this matters

Classification without labelling is easy to mishandle. Users may forward, print, store, or dispose of information incorrectly because the classification is not visible at the point of use.

Labelling helps with:

  • access decisions;
  • handling decisions;
  • secure transmission;
  • secure storage;
  • secure printing;
  • disposal;
  • recipient awareness;
  • external sharing.

Implementation guidance

Implementer focus

Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.

1. Align labels to the classification scheme

Labelling procedures should match A.5.12 Classification of Information.

For each classification, define:

  • whether labelling is required;
  • where the label appears;
  • who applies it;
  • whether expiry or review dates are used;
  • what happens when information changes format;
  • how external labels are interpreted.

2. Label information in forms that users actually handle

Examples:

Format Labelling approach
Bound documents Classification on cover and key pages
Loose paper Classification on every page where practical
Digital documents Header/footer, metadata, sensitivity label, document property
Email Subject marker, banner, sensitivity label, DLP rule
Folders or repositories Folder-level classification where content is consistent
Databases or systems System or environment classification rule
Removable media Physical label plus encryption/control record
Backups Label based on most sensitive contained information

The label should represent the most sensitive information in the container where practical.

3. Preserve labels when information changes form

Labelling procedures should address:

  • printing digital documents;
  • converting files to PDF;
  • forwarding emails;
  • exporting reports;
  • copying data to removable media;
  • moving data between systems;
  • sharing externally.

If labels disappear during format changes, the control fails at exactly the point mishandling becomes likely.

4. Handle cases where visible labels create risk

Sometimes obvious labels can help attackers identify the most valuable information.

In those cases, the organization may use disguised, restricted, or role-specific labelling. That only works if distribution is tightly controlled and the people handling the information are trained.

Do not use “labels might attract attackers” as an excuse for no labelling process. That is weak unless there is a controlled alternative.

5. Interpret external labels carefully

Different organizations may use similar labels with different meanings.

Before relying on external labels:

  • confirm what the label means;
  • map it to internal handling rules;
  • ensure recipients understand your labels;
  • document agreed handling in contracts or exchange procedures.

6. Use expiry or review dates where useful

Some information stops being sensitive after a date or event.

Examples:

  • financial results after public release;
  • project details after launch;
  • tender information after award;
  • incident details after public disclosure.

Expiry dates can avoid unnecessary protection cost and reduce over-classification.

Audit guidance

Auditor focus

Look for evidence that the process operates in practice, not just that a document exists.

Auditors should confirm that labelling procedures exist, match the classification scheme, and work in practice across physical and digital formats.

Audit tests:

  • sample classified documents and check labels;
  • sample loose pages, printouts, emails, folders, repositories, and removable media;
  • check whether labels survive printing or export;
  • check whether system/database labels represent the most sensitive contained information;
  • check whether external labels are understood;
  • inspect whether labels are prominent and durable enough;
  • interview users to confirm they understand what labels mean.

Evidence examples

Evidence quality

Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.

Evidence What it proves
Labelling procedure Labelling rules are documented
Classification scheme Labels align to classifications
Sample labelled documents Physical/digital labels are applied
Sensitivity label configuration Technical labelling is implemented
Email/DLP label settings Labels support transmission controls
Repository classification rules Folder or environment-level labels are defined
Training records Users understand labels
External data exchange procedure Third-party labels are interpreted
Review or expiry records Labels are updated when sensitivity changes

Strong evidence

  • Labelling procedure maps clearly to classification levels.
  • Labels are visible at the point of use.
  • Digital and physical formats are covered.
  • Labels persist across printing, export, email, and transfer where practical.
  • External labels are mapped to internal handling requirements.
  • Highly sensitive information has controlled labelling and distribution.
  • Users understand how to apply and interpret labels.

Weak evidence

  • Classification exists but no labelling procedure.
  • Labels appear only on cover pages while loose pages are unmarked.
  • Digital labels disappear when printed or exported.
  • Folder labels conflict with document content.
  • External labels are accepted without interpretation.
  • Adhesive labels fall off physical media.
  • Users do not know what labels require them to do.

Common failures

Implementation watchouts

These are the fastest ways this topic fails in real ISMS work.

Failure Why it matters
Labelling not aligned to classification Labels do not drive correct handling
Digital formats ignored Most information remains unlabelled
Labels lost on print/export Information is mishandled after format change
Label indicates lower sensitivity than contents Container is under-protected
External labels not mapped Third-party information is mishandled
Labels too visible for sensitive covert material Attackers can identify high-value targets

Exam traps

Exam focus

Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.

  • Labelling supports classification; it is not the same as classification.
  • Labelling must suit the form of information.
  • Digital information can be labelled through metadata, sensitivity labels, folders, repositories, or system-level rules.
  • Labels should remain with information when it changes form where practical.
  • The label should represent the most sensitive information in the container.
  • Sometimes visible labelling can create risk; alternative controlled approaches may be justified.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

A.5.13 requires procedures for labelling information in line with the classification scheme. Labelling should make classification visible or otherwise actionable across physical, digital, transmitted, stored, printed, and transformed information so users apply the right handling controls.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Organizational controls
  • Labelling
  • Classification
  • Information handling
  • Audit

Note Metadata

Aliases: A.5.13, Labelling of Information

Source: 02 Annex A Organizational Controls/A.5.13 Labelling of Information.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

8

links

01

Requirement context

Primary control text, framework notes, or adjacent controls this note points to.

02
03

Audit checks

Audit questions, checklists, or review material connected to the control.

04

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.