Home / ISO 27001 Glossary of Terms / Labelling of information

Labelling of information

13/09/2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO 27001 Information labelling is the process of marking or classifying data to show its sensitivity and importance. It helps people handle information correctly and protect it from being seen by the wrong people. Think of it like a library where books are organised by genre. Labelling helps you know what kind of information you are dealing with, so you can treat it with the right level of care.

Examples

  • Public: This is information anyone can see, like a company’s phone number or address. It doesn’t need special protection.
  • Internal: This information is for people inside the company only. A team memo or a company budget would be labelled as internal.
  • Confidential: This is private information that can cause harm if it gets out. Employee salaries or customer details would fall into this category.
  • Secret: This is the most sensitive information, often related to security. It’s for a very small group of people.

Context

Labelling is a key part of an organisation’s information security policy. It makes sure that everyone knows the rules for handling different types of data. This helps prevent accidents and makes it harder for malicious actors to get ahold of sensitive information. Clear labels on documents and data files are a simple but effective way to improve security.

Relevant ISO 27001 Controls

The following controls from the ISO/IEC 27001:2022 standard are related to labelling of information:

  • ISO 27001:2022 Annex A 5.13 Labelling Of Information: This control states that organisations must have a way to label their information based on its security classification. This helps ensure that sensitive information is handled with the correct level of care.

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.