Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · Organisational Control

A.5.13 — Labelling of Information

Updated on 4 min Reviewed by: Cenedril Editorial
A.5.13 ISO 27001ISO 27002BSI 200-2

A printed document marked “Confidential” on every page signals to everyone who touches it — from the person who collects it from the printer to the colleague who finds it left on a desk — that this information requires careful handling. Without the label, the same document looks like any other printout and may end up in the recycling bin or on a shared table. A.5.13 requires the organisation to implement labelling procedures that make classification visible, so that handling rules can be applied consistently.

Labelling is the operational link between classification (A.5.12) and handling. A classification that nobody can see has no practical effect.

What does the standard require?

  • Develop labelling procedures. The organisation must define how information is labelled for each classification level and each type of medium (physical documents, digital files, emails, removable media, hardware).
  • Apply labels consistently. Labelling must follow the defined procedures. Classification labels should be applied when information is created or classified and updated when reclassification occurs.
  • Cover all relevant media. Labelling procedures should address printed documents, electronic files, emails, removable storage, cloud-stored data and physical assets that store information.
  • Support automation. Where possible, use metadata-based labelling that can be read by systems — enabling automated enforcement of handling rules (e.g. data loss prevention tools that act on classification metadata).
  • Train personnel. Everyone who creates or handles classified information must know how to apply labels correctly and what each label means in terms of handling requirements.

In practice

Define label formats per medium. For printed documents: classification in the header and footer of every page. For emails: classification tag in the subject line or a dedicated header field. For digital files: metadata properties and, where appropriate, visible watermarks. For removable media: physical stickers. For cloud storage: folder-level or file-level metadata tags.

Implement a default classification. Require that every new document starts with a default classification (typically “Internal”). This prevents information from being created and circulated without any classification. Authors can reclassify upward or downward as appropriate.

Use technology to enforce labelling. Data loss prevention (DLP) tools can block the transmission of documents that lack classification metadata. Document management systems can require a classification field before saving. Email gateways can flag outbound messages that carry a “Confidential” label. These technical controls complement the human process.

Address the challenge of legacy data. Existing documents created before the classification scheme was implemented will not be labelled. Plan a phased approach: prioritise high-value repositories, classify and label the most sensitive information first, and address the remainder through natural document lifecycle (review, update, reclassify).

Typical audit evidence

Auditors typically expect the following evidence for A.5.13:

  • Labelling procedures — documented rules for how each classification level is labelled across different media
  • Document samples — examples of correctly labelled documents, emails and files at different classification levels
  • Template configuration — showing that classification fields are built into document templates
  • DLP or metadata enforcement logs — evidence that technical controls support labelling compliance
  • Training records — showing that personnel were trained on labelling procedures

KPI

% of classified information assets labelled in accordance with the classification policy

This KPI measures labelling compliance. Target: 100% of classified information assets carry the correct label. In practice, measure through spot-checks and automated metadata scans. A significant gap between classified and labelled assets indicates a process or training issue.

Supplementary KPIs:

  • Percentage of document templates with built-in classification fields
  • Number of unlabelled documents detected by DLP or metadata scans per quarter
  • Percentage of employees trained on labelling procedures within the last 12 months

BSI IT-Grundschutz

A.5.13 maps to the following BSI requirement:

  • BSI-Standard 200-2 Kapitel 5.1 (Definition and communication of protection requirements) — requires that the protection level of information is communicated through appropriate means, enabling everyone who handles the information to apply the correct protection measures.

A.5.13 makes classification operational:

Sources

Frequently asked questions

What forms can labels take?

Labels can be physical (printed headers/footers, stickers on hardware, markings on envelopes) or digital (metadata tags, email headers, file properties, watermarks). The format depends on the medium -- the key is that the classification is visible or accessible to anyone handling the information.

Must every document be labelled?

ISO 27002 recommends labelling for all classified information. In practice, the labelling effort should be proportionate -- public information may not need a label, while anything classified as confidential or above should always be labelled. Define in the classification policy which levels require mandatory labelling.

How do we handle unlabelled information?

Define a default treatment in the classification policy. Many organisations specify that unlabelled information is treated as Internal by default. This prevents unclassified information from being handled as public by assumption.