Labelling of information

1. Formalise the Information Labelling Policy

Develop a clear policy that defines the procedures for labelling information in accordance with the classification scheme defined in ISO 27001 Control 5.12. This ensures a consistent approach is adopted across all business departments.

• Align labelling categories with risk assessment outcomes.
• Document legal and regulatory requirements for specific data marks.

2. Update the Organisational Asset Register

Map every asset in your Asset Register to its corresponding classification and required label. You cannot effectively label information if you have not identified the underlying assets that store or process it.

• Assign ownership to each information asset.
• Categorise assets by format, such as digital, physical, or removable media.

3. Define Visual Labelling Standards

Create standardised visual templates for physical and digital documents to ensure labels are prominent and legible. Clear marking reduces the risk of accidental data disclosure during handling or transmission.

• Specify header and footer placements for classification tags.
• Standardise watermark usage for “Confidential” or “Restricted” files.

4. Configure Automated Metadata Tagging

Provision technical tools to embed classification labels directly into file metadata. This enables automated systems to recognise and protect data without relying solely on manual user intervention.

• Inject non-visual tags for machine-readability.
• Ensure metadata persists across file conversions and copies.

5. Implement Data Loss Prevention (DLP) Rules

Integrate your labelling scheme with DLP technical controls to prevent unauthorised data egress. Rules should trigger specific actions, such as blocking or encrypting, based on the identified label.

• Block “Secret” labelled content from being attached to external emails.
• Mandate MFA for accessing “Confidential” labelled cloud repositories.

6. Secure Removable Media and Physical Assets

Apply durable physical labels to hardware and removable media containing sensitive information. Visible labels serve as a deterrent and provide clear instructions for secure storage and transport.

• Label encrypted USB drives with classification markings.
• Use tamper-evident labels for high-sensitivity hardware assets.

7. Establish Labelling Exception Criteria

Document specific instances where labelling is technically unfeasible or counter-productive to security. Identifying these gaps allows for the implementation of alternative compensatory controls.

• Identify legacy systems that do not support metadata tagging.
• Log exceptions in the formal Record of Evidence (ROE) for audit review.

8. Launch Staff Labelling Awareness Training

Educate employees on the importance of labelling and the specific procedures for applying marks. Human error remains the primary cause of mislabelling, so regular training is a mandatory compliance step.

• Provide clear examples of how to label emails and physical mail.
• Verify training completion via a central learning management system.

9. Audit Labelling Compliance via Sample Testing

Conduct regular spot checks on information assets to verify that 100% of sampled data matches the classification policy. Periodic auditing ensures the labelling process remains effective over time.

• Review physical document storage areas for unlabelled sensitive data.
• Audit digital repositories for correctly applied metadata tags.

10. Review and Refine the Labelling Scheme

Evaluate the effectiveness of the labelling process during your quarterly management review. Adjust the scheme based on internal audit findings or changes to the organisational risk profile.

• Update labelling standards to reflect new regulatory requirements.
• Integrate feedback from staff regarding labelling tool usability.