1. Framework FAQs

ISO 27001: 2022 A.5.13 Labelling of information

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.13 Labelling of information.

ISO 27001: 2022 Control Description

An appropriate set of procedures for information labelling shall be  developed and implemented in accordance with the information classification scheme adopted by the organisation.

Purpose

Procedures for information labelling should cover information and other associated assets in all formats. The labelling should reflect the classification scheme established in A.5.12. The labels should be easily recognisable. The procedures should give guidance on where and how labels are attached in consideration of how the information is accessed or the assets are handled depending on the types of storage media.

Guidance on implementation

The procedures can define:

a) cases where labelling is omitted (e.g. labelling of non-confidential information to reduce workloads)

b) how to label information sent by or stored on electronic or physical means, or any other format
c) metadata
d) watermarking

e) rubber-stamps.
f) how to handle cases where labelling is not possible (e.g. due to technical restrictions).

Examples of labelling techniques include:
a) physical labels;
b) headers and footers;

Digital information should utilise metadata in order to identify, manage and control information, especially with regard to confidentiality. Metadata should also enable efficient and correct searching for information. Metadata should facilitate systems to interact and make decisions based on the associated classification labels.

The procedures should describe how to attach metadata to information, what labels to use and how data should be handled, in line with the organisation’s information model and ICT architecture.

Relevant additional metadata should be added by systems when they process information depending on its information security properties.

Personnel and other interested parties should be made aware of labelling procedures. All personnel should be provided with the necessary training to ensure that information is correctly labelled and handled accordingly.

Output from systems containing information that is classified as being sensitive or critical should carry an appropriate classification label.

Labelling of classified information is a key requirement for information sharing.