Implementing ISO 27001 Annex A 5.13 is the technical enforcement of Labelling of Information to ensure data assets carry visual and metadata-based classification tags. This control mandates the configuration of sensitivity labels, visual watermarking, and automated header injection to signal the confidentiality level of data to both users and security systems.
ISO 27001 Annex A Labelling of Information Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.13 by technically enforcing visual and metadata labels on data assets, rather than relying on staff to remember policy documents. Compliance requires that the classification schema defined in A.5.12 is visibly stamped onto headers, footers, and screens, and embedded into file properties for Data Loss Prevention (DLP) systems to read.
1. Translate Classification Policy into Technical Labels
Control Requirement: An appropriate set of procedures for information labelling must be developed and implemented in accordance with the information classification scheme. Required Implementation Step: Open your labelling platform configuration (e.g., Microsoft Purview Compliance Portal or Titus). Create specific Sensitivity Labels that map 1:1 to your policy levels (e.g., “Public”, “Internal”, “Confidential”, “Strictly Confidential”). Assign a unique colour code and tool-tip description to each label to guide users at the point of creation.Minimum Requirement: Labels defined in the policy must exist as selectable buttons in the end-user’s Office ribbon.
2. Enforce Visual Watermarking for Sensitive Data
Control Requirement: Labels must be visually displayed on information output. Required Implementation Step: Configure the label policy to automatically apply content markings. For “Confidential” and above, force a diagonal watermark stating “CONFIDENTIAL – INTERNAL USE ONLY” and add a footer variable `$LabelName` to all Word documents and PowerPoint slides. This ensures that if a document is printed or screenshotted, the classification is undeniable.Minimum Requirement: A printed page of a confidential document must physically display the classification label.
3. Embed Metadata for Automated Handling
Control Requirement: Labelling must support automation and machine processing. Required Implementation Step: Ensure your labelling tool writes the classification into the file metadata (Custom Document Properties in Office files, XMP in PDFs). Verify this by opening a labelled file in a text editor or using `exiftool` to see the clear-text tag (e.g., `MSIP_Label_GUID`). This metadata is crucial for DLP gateways to recognise and block files later.Minimum Requirement: The classification persists even if the file is renamed or moved to a different folder.
4. Configure Email Subject Line Tagging
Control Requirement: Email messages must be clearly labelled to warn recipients. Required Implementation Step: Set up Exchange Transport Rules or client-side enforcement. When a user selects “Confidential”, the system must prepend `[SEC=CONFIDENTIAL]` or similar text to the email Subject Line. This provides an immediate visual cue to the recipient on mobile devices where headers might be hidden.Minimum Requirement: External recipients can identify the data classification solely by reading the subject line.
5. Physically Label Removable Media
Control Requirement: Physical storage media containing information must be externally labelled. Required Implementation Step: Purchase a stock of high-durability, colour-coded acetate stickers. Mandate that any USB drive, backup tape, or external hard drive receives a physical sticker matching the highest classification of data stored on it. Conduct a physical walk-around audit to peel off any unlabelled sticks found on desks.Minimum Requirement: No plain black USB drives are permitted; every drive must carry a classification tag.
6. Implement Container-Level Labelling
Control Requirement: Systems and storage repositories should be labelled to indicate the sensitivity of stored data. Required Implementation Step: Apply sensitivity labels to Microsoft Teams, SharePoint Sites, and AWS S3 buckets. Configure the system so that a “Confidential” Team automatically restricts guest access and prevents unmanaged devices from syncing files, inheriting the label’s security controls down to all files within that container.Minimum Requirement: You cannot upload a “Secret” file into a “Public” SharePoint site without a warning or block.
7. Automate Default Labelling
Control Requirement: Reduce human error by ensuring a baseline label is always applied. Required Implementation Step: Configure the global policy to set a “Default Label” (usually “Internal”) for all new documents and emails. This ensures that users must actively make a decision to downgrade data to “Public” or upgrade it to “Confidential”, preventing data from existing in an unlabelled “limbo” state.Minimum Requirement: It is technically impossible to save a new Word document without a classification label attached.
8. Define Labelling for Data Transfer
Control Requirement: Labels must be understandable when information is shared with external parties. Required Implementation Step: Create a “Label Mapping” table in your Data Sharing Agreements. Explicitly state that your “Strictly Confidential” is equivalent to the partner’s “Tier 1 Secret”. Where technical federation exists, map the GUIDs of your Azure AD labels to the partner’s tenant so the protection (encryption/watermarks) survives the transfer.Minimum Requirement: Contracts explicitly define how the recipient must treat labelled data received from you.
9. Establish Mandatory Justification for Downgrading
Control Requirement: Changes to labels, especially lowering classification, must be controlled. Required Implementation Step: Enable the “Require Justification” setting in your labelling client. If a user attempts to change a document from “Confidential” to “Public”, a pop-up must force them to type a reason. These justifications must be logged to a SIEM (e.g., Sentinel) and reviewed by the Data Privacy Officer.Minimum Requirement: Users cannot remove a “Confidential” label silently; an audit trail of the decision is mandatory.
10. Deploy On-Screen Screen Saver Classification
Control Requirement: Information processing facilities should be labelled. Required Implementation Step: Use Group Policy (GPO) or MDM profiles to push a standard desktop background or lock screen to specific high-security terminals (e.g., HR, Finance) that clearly displays text like “RESTRICTED SYSTEM – AUTHORISED PERSONNEL ONLY”.Minimum Requirement: A glance at the screen immediately informs an observer that the system processes sensitive data.
ISO 27001 Annex A 5.13 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Schema Implementation | GRC tool provides a dropdown to “Select your levels” (1-4). | Fails if these levels aren’t configured in the actual software (Word/Outlook). A policy without a toolbar button is hallucination. |
| Visual Marking | SaaS platform asks: “Do you watermark documents?” (Yes/No). | Fails if the watermark is manually added. Users will forget. It must be automated via the labelling agent upon save/print. |
| Metadata Tagging | Tool ignores metadata entirely. | Fails when you try to implement DLP. If the label isn’t in the metadata, your firewall can’t block the file from leaving. |
| Physical Media | Questionnaire: “Do you label USBs?” | Fails if you don’t actually buy the stickers and walk the floor. A digital policy cannot stick a label on a physical drive. |
| Default Labelling | Policy says “All data is Internal by default.” | Fails if the system allows “Unlabelled” files. The default must be technically enforced, or 90% of your data will remain unclassified. |
| Label Downgrades | Not tracked by compliance software. | Fails if a malicious insider simply changes “Secret” to “Public” to bypass DLP. You need forced justification logs. |
| Interoperability | Tool assumes internal use only. | Fails when you email a “Confidential” doc to a client and they publish it because they didn’t understand your label schema. |
About the author
Do it Yourself ISO 27001
Our Lead-Auditor verified templates with expert support have a 100% success rate.
