ISO 27001 Control 5.13: Information Labelling
Information labelling is the foundation of effective data protection. Control 5.13 requires you to establish and enforce procedures that classify and label information according to your organization's sensitivity levels. Without clear labelling standards, sensitive data can be mishandled, exposing your organization to compliance failures and security breaches.
What this means
Control 5.13 mandates that your organization develop a comprehensive information classification scheme and implement corresponding labelling procedures. This means creating a defined set of classification levels (such as Public, Internal, Confidential, Restricted), establishing rules for how information must be labeled based on its sensitivity and business value, and ensuring all employees understand and apply these labels consistently. The labelling system must align with your organization's risk assessment and information protection requirements, enabling staff to handle data appropriately throughout its lifecycle.
How to comply
- 1.Define your organization's information classification scheme with clear categories (e.g., Public, Internal Use Only, Confidential, Restricted)
- 2.Establish labelling procedures that specify how each classification level must be marked on physical documents, digital files, and communications
- 3.Document labelling standards that cover all information types: emails, databases, cloud storage, printed materials, and backups
- 4.Create labelling guidelines that include where labels must appear, label format (headers, footers, watermarks), and retention requirements
- 5.Implement technical controls to auto-label sensitive information where possible using DLP tools or metadata tagging
- 6.Train all employees on the classification scheme and their responsibility to label information correctly
- 7.Conduct periodic audits to verify labelling compliance and identify gaps in implementation
- 8.Update labelling procedures when your classification scheme changes or new information types emerge
Evidence auditors look for
- Documented information classification policy with defined sensitivity levels and criteria for each classification
- Information labelling procedures manual provided to all staff
- Email templates with mandatory classification headers in subject lines or message bodies
- Document templates with embedded watermarks or headers indicating classification level
- Records of labelling training completion and sign-offs across the organization
- Audit reports showing labelling compliance rates by department
- Data Loss Prevention (DLP) system configurations enforcing automatic labelling of sensitive data
- Examples of correctly labelled documents (physical and digital) from various departments
- Change management records documenting updates to labelling procedures
- System configuration screenshots showing metadata tagging or classification tags in use
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates information labelling verification by scanning your digital environment to confirm that sensitive data is correctly classified and labeled according to your policy, generating compliance evidence without manual audits.
See how GRCWatch handles this control automatically
Start free trial