ISO 27001:2022 Annex A Control 5.13 (A.5.13)

Explaining Control 5.13 (A.5.13) Labelling of information

ISO 27001 Annex A Control 5.13 (A.5.13) Labelling of information is a core element of your organization’s security framework. It ensures that sensitive, confidential, and critical data is accurately identified. This process helps your organization manage data in line with its classification level, enforce handling requirements, and protect information throughout its lifecycle. Clear labels reduce the risk of accidental disclosure and enable automated processes to effectively manage and process data.

Iso 27001 Control 5.13 (A.5.13)

Control Type

  • Preventive

Information Security Properties

  • Confidentiality
  • Integrity
  • Availability

Cybersecurity Concepts

  • Protect

Operational Capabilities

  • Information Protection

Security Domains

  • Defence
  • Protection

Objective: Ensuring Consistency in Information Labelling

The main objective of ISO 27001 Control 5.13 is to establish a standardized procedure for labelling information. This procedure should be consistent with your organization’s classification scheme, allowing stakeholders and systems to recognize the importance of data and apply the right level of protection. Labelling helps maintain confidentiality, integrity, and availability of information. It also helps ensure that any information sharing or transfer is carried out securely, aligned with the classification levels assigned.

Purpose: Strengthening Your Information Classification Practices

The purpose of this control is to strengthen your information classification practices and facilitate secure data handling. It directly supports the classification framework described in Control 5.12. When your organization adopts a clear labelling approach, personnel and automated processes can more easily:

  • Identify the classification level of information and apply suitable protections.
  • Make informed decisions about how to store, process, share, or archive data.
  • Maintain compliance with regulations and standards that require evidence of robust information handling controls.

Principles of Information Labelling

Alignment with the Classification Scheme

Your labelling strategy should mirror the classification categories used by your organization (for example, Public, Internal, Confidential, or Restricted). This consistency ensures that all parties understand the meaning of each label and can reliably follow the associated handling procedures.

Applicability to All Formats and Media

Information exists in various forms, including digital files, physical documents, and multimedia. Regardless of format, your labelling method should consistently reflect the classification. Ensure that email messages, portable media, physical printouts, and digital data carry or embed the correct classification labels.

Clear and Recognizable Labels

Labels need to be immediately visible or easily retrievable. Labels can be displayed in document headers, footers, or watermarks. In digital files, metadata can hold classification information, ensuring that automated tools can enforce the right controls.

Exceptions and Simplifications

In specific instances, you may decide that certain low-risk information does not require explicit labeling to avoid unnecessary operational burdens. Define these exceptions clearly and maintain a record of them. For example, your organization might omit labels on information labeled as “Public” to avoid extra overhead.

Timely Updates and Maintenance

Whenever your organization reclassifies data or changes its classification scheme, your labelling approach must be updated. This ensures that newly created or modified information bears the correct labels.

Labelling Techniques

Physical Labels

Physical labels include stickers, rubber-stamps, or other markers attached to documents, devices, and storage media. They must indicate the classification category and be visible enough to guide handling.

Document Headers and Footers

Headers and footers effectively remind readers of the classification level. This method is common for PDFs, word processing documents, and spreadsheets, particularly when these files are printed or shared as email attachments.

Metadata Integration

Metadata fields embedded in digital files provide the most flexible approach to labelling. Metadata can be recognized by automated systems to apply access controls or restrictions. This technique also helps with data discovery, especially when searching or auditing large data sets.

Watermarking

Watermarks can be used on digital or printed documents to embed a visible classification notice. This method is highly useful for documents containing sensitive data that might be printed or distributed.

Rubber-Stamps

Rubber-stamps allow quick, consistent application of labels on paper documents. In high-volume, paper-intensive processes, this method ensures no pages are overlooked.

Metadata Usage and Management

Metadata is an essential element for digital information labelling. Metadata can include details such as classification level, creation date, author, department, or process origin. By adopting systematic metadata usage, your organization can:

  • Facilitate Automated Decisions: Systems can detect classification labels embedded in metadata to enforce access control rules or apply encryption.
  • Enable Efficient Searches: Properly tagged information is easier to locate during audits, investigations, or routine operations.
  • Support Information Lifecycle Management: Metadata fields can indicate retention requirements, ensuring that data is archived or disposed of according to your organization’s policies.

Training and Awareness

Training and awareness programs help all personnel and relevant third parties understand their roles in labelling. Your organization should include:

  • Overview of Classification Levels: Explain the purpose of each level, how to identify information that fits into each category, and what actions to take.
  • Labelling Procedures: Demonstrate how to apply physical labels, add headers/footers, or embed metadata in digital files.
  • Handling Exceptions: Clarify instances where it may not be feasible or required to label information, along with the rationale and any compensating controls.
  • Common Pitfalls: Highlight issues such as forgetting to label newly created documents or failing to update labels after reclassification.

Potential Risks and Mitigations

Overt Labelling Risks

Overly conspicuous labels may draw unwanted attention from malicious actors who can more easily identify sensitive files. To mitigate this, your organization can use metadata or discreet notations where necessary.

Inconsistent or Incorrect Labels

Without a standardized approach, personnel may apply labels incorrectly or inconsistently. As a mitigation measure, define clear procedures, provide training, and establish routine checks.

Unlabeled Information

Information that lacks labels can be mismanaged or not recognized as sensitive. Encourage mandatory labeling fields within information systems and ensure that newly created records default to a specific classification level until properly labeled.

Labelling Overload

Excessive labeling on low-risk content can slow down processes and cause confusion. Balance this by establishing a clear threshold for when labels are necessary.

Relevant ISO 27001 Controls

Control 5.12 – Classification of Information
Control 5.12 defines the classification scheme that forms the basis of all labelling. Ensure your organization references these guidelines and aligns Control 5.13 labelling procedures with the defined categories.

Control 5.14 – Management of Information Transfer
Information is often exposed to risk during transfer. Labelling helps reinforce the correct encryption methods, handling instructions, and access permissions during data exchange.

Control 5.17 – Access Control
Well-labeled data makes it simpler to enforce access control policies. By reading the classification label, your systems and staff can decide who is authorized to access specific information.

Other Related Controls
Your organization may integrate labelling requirements into broader controls related to data lifecycle management, secure disposal, and asset management to ensure end-to-end protection.

Templates That Can Assist with Control 5.13

Templates can help your organization align all stakeholders, standardize labelling practices, and simplify compliance with ISO 27001 requirements. Consider using:

  • Information Classification & Labelling Policy Template
    A policy document that outlines how your organization classifies information and the steps for applying labels.

  • Metadata Attachment Procedures Template
    A procedural guide that details how to embed classification and other metadata elements in digital files.

  • User Awareness & Training Materials
    Presentations or checklists aimed at educating personnel about proper labelling and handling procedures.

 

Conclusion: Enhancing Security Through Effective Labelling

Implementing ISO 27001 Control 5.13 helps your organization label information accurately, improve data visibility, and support secure handling processes. By integrating labelling into every stage of the information lifecycle, you build a more resilient cybersecurity posture. Consistent labeling, combined with training and awareness, ensures that personnel recognize and protect sensitive data. This approach helps maintain regulatory compliance, reduce security risks, and support a well-structured information management environment.

Control 5.12
ISO 27001 overview
Control 5.14