In this ultimate how to audit guide to ISO 27001 Annex A 5.13 Information Labelling, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Information Labelling Procedure Formalisation Verified
- 2. Physical Media Labelling Accuracy Confirmed
- 3. Digital Document Metadata Labelling Validated
- 4. Automated Labelling Integration in SaaS/Cloud Verified
- 5. Email Communication Labelling Consistency Confirmed
- 6. Labelling Exceptions for Public Information Validated
- 7. Labelling Integrity in System Outputs Verified
- 8. Employee Competence in Labelling Tools Confirmed
- 9. Alignment Between Inventory and Labelling Present
- 10. Labelling Review and Update Records Identified
Auditing ISO 27001 Annex A 5.13 Information Labelling involves verifying that an appropriate set of procedures is implemented to label information in accordance with the organization’s information classification scheme. This process validates the Primary Implementation Requirement of applying visible and metadata-based labels to communicate the value and sensitivity of data. The Business Benefit ensures consistent data handling, prevents accidental leakage, and automates protection mechanisms like DLP based on clear classification tags.
1. Information Labelling Procedure Formalisation Verified
Verification Criteria: A documented procedure exists that defines the specific methods for labelling information in all formats (digital, physical, and electronic) based on the classification scheme.
Required Evidence: Approved Information Labelling and Handling Procedure, integrated with the wider Classification Policy.
Pass/Fail Test: If the organisation has a classification policy but no documented instructions on how or where to apply the labels, mark as Non-Compliant.
2. Physical Media Labelling Accuracy Confirmed
Verification Criteria: Physical assets, including removable media, printed reports, and backup tapes, bear visible classification labels.
Required Evidence: Physical inspection of a sample of 5-10 items (e.g., printed board packs, encrypted USB drives) for correct classification stickers or markings.
Pass/Fail Test: If a physical document containing sensitive PII or financial data is found without a classification marking, mark as Non-Compliant.
3. Digital Document Metadata Labelling Validated
Verification Criteria: Electronic documents (PDFs, Word documents, Spreadsheets) contain internal classification labels within the metadata or as visible headers/footers.
Required Evidence: A sample of 10 documents from internal repositories (SharePoint/Google Drive) showing consistent use of labelling tools (e.g., Microsoft Purview/Sensitivity Labels).
Pass/Fail Test: If high-classification digital files lack corresponding metadata tags that trigger DLP (Data Loss Prevention) rules, mark as Non-Compliant.
