Labelling of Information - ISO 27001 Annex A Control

ISO 27001 Annex A 5.13

If a label is supposed to mean something it has to be visible.

ISO 27001 Annex A 5.13 - Labelling of Information

Labelling is what makes classification visible. The classification scheme says how information is sorted by sensitivity. Labelling tells anyone looking at a document, an email or a system which tier it belongs to. Without labels, classification only exists in the asset register and people have to guess what to do with what they are looking at.

Labels need to be applied consistently, in places where they are visible, and at points where they help people make handling decisions. Common practice is a header or footer on documents showing the classification tier, an email subject prefix or footer for messages above a certain tier, and visible markings on physical media or printouts. The exact mechanism is less important than the consistency.

The label is only useful if staff know what to do when they see it. Labelling has to come with handling rules - what each tier means, where it can be stored, who it can be shared with, how it should be transferred. The labelling scheme and the handling rules belong together in the same policy.

I will pick a few documents at random during an audit and check whether they are labelled. If a document with personal data has no classification label, that is a finding. If the label says Confidential but the document is on a shared drive everyone can access, that is a different kind of finding. Labels only mean something if the handling matches the label.

Practical Compliance Guidance

Labelling arrangements are described in the IMS1 manual at section 8.5 alongside the Information Classification and Protection Policy. Key company-controlled documents are labelled according to the classification scheme.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
GG-8-07 Information Classification and Protection	Sets out how the classification labels are applied across documents, emails and other media. Use as the reference for staff training on labelling.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Do all documents need labels?

In principle yes, in practice the labelling rules can scale to risk. Some schemes only require labels for material above the lowest tier - so Public material is unlabelled by default and anything Business Use or above carries an explicit label. The approach should be documented in the classification policy.

Should we label emails as well as documents?

Where emails carry information above the lowest tier, yes. Common approaches include a subject line prefix such as [CONFIDENTIAL] or an automatic email footer. Some email systems support classification add-ins that prompt the user to set the level before sending.

What about labelling information that comes from outside the organisation?

External documents that already carry a classification from another organisation should be respected and handled at least as protectively as their existing label suggests. Where external information carries no label but contains sensitive material, it should be labelled when it enters the organisation's systems.

Further Resources