In this ultimate how to implement guide to ISO 27001 Annex A 5.13 Information Labelling, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Translate Classification Policy into Technical Labels
- 2. Enforce Visual Watermarking for Sensitive Data
- 3. Embed Metadata for Automated Handling
- 4. Configure Email Subject Line Tagging
- 5. Physically Label Removable Media
- 6. Implement Container-Level Labelling
- 7. Automate Default Labelling
- 8. Define Labelling for Data Transfer
- 9. Establish Mandatory Justification for Downgrading
- 10. Deploy On-Screen Screen Saver Classification
- ISO 27001 Annex A 5.13 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 5.13 is the technical enforcement of Labelling of Information to ensure data assets carry visual and metadata-based classification tags. This control mandates the configuration of sensitivity labels, visual watermarking, and automated header injection to signal the confidentiality level of data to both users and security systems.
ISO 27001 Annex A Labelling of Information Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.13 by technically enforcing visual and metadata labels on data assets, rather than relying on staff to remember policy documents. Compliance requires that the classification schema defined in A.5.12 is visibly stamped onto headers, footers, and screens, and embedded into file properties for Data Loss Prevention (DLP) systems to read.
1. Translate Classification Policy into Technical Labels
Control Requirement: An appropriate set of procedures for information labelling must be developed and implemented in accordance with the information classification scheme. Required Implementation Step: Open your labelling platform configuration (e.g., Microsoft Purview Compliance Portal or Titus). Create specific Sensitivity Labels that map 1:1 to your policy levels (e.g., “Public”, “Internal”, “Confidential”, “Strictly Confidential”). Assign a unique colour code and tool-tip description to each label to guide users at the point of creation.
Minimum Requirement: Labels defined in the policy must exist as selectable buttons in the end-user’s Office ribbon.
2. Enforce Visual Watermarking for Sensitive Data
Control Requirement: Labels must be visually displayed on information output. Required Implementation Step: Configure the label policy to automatically apply content markings. For “Confidential” and above, force a diagonal watermark stating “CONFIDENTIAL – INTERNAL USE ONLY” and add a footer variable `$LabelName` to all Word documents and PowerPoint slides. This ensures that if a document is printed or screenshotted, the classification is undeniable.
Minimum Requirement: A printed page of a confidential document must physically display the classification label.
3. Embed Metadata for Automated Handling
Control Requirement: Labelling must support automation and machine processing. Required Implementation Step: Ensure your labelling tool writes the classification into the file metadata (Custom Document Properties in Office files, XMP in PDFs). Verify this by opening a labelled file in a text editor or using `exiftool` to see the clear-text tag (e.g., `MSIP_Label_GUID`). This metadata is crucial for DLP gateways to recognise and block files later.
Minimum Requirement: The classification persists even if the file is renamed or moved to a different folder.
