In this guide, I will show you exactly how to implement ISO 27001 Annex A 8.34 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 5.13 Labelling of Information
ISO 27001 Annex A 5.13 requires organizations to develop and implement procedures for the labelling of information in accordance with their established classification scheme. While Annex A 5.12 focuses on categorizing the data, this control is about the visual and technical markers that communicate that category to users and systems. The goal is to ensure that everyone handling the data knows its level of sensitivity at a glance, thereby preventing accidental disclosure and supporting the automation of security rules (like data loss prevention).
Core requirements for compliance include:
- Alignment with Classification: Labels must directly match your classification levels (e.g., Public, Internal, Confidential). If you don’t have a classification scheme yet, you cannot satisfy this control.
- Format-Agnostic Labelling: Procedures must cover data in all its forms: physical (paper, USBs), digital (Office docs, PDFs), and electronic communications (emails, Slack).
- Introduction of Metadata: The 2022 update places a high emphasis on Metadata. Digital files should ideally be “tagged” with hidden security labels that automated systems (like DLP or email gateways) can read and act upon.
- Exceptions Management: You must define when labelling is not required (e.g., for “Public” information) to reduce the administrative burden on staff.
- Staff Training: Personnel must be trained on how to apply labels (e.g., using a specific header/footer in Word) and what to do when they receive a labelled document.
Audit Focus: Auditors will look for “The Visible Proof”:
- Spot Checks: They will pick a random internal report or email and ask: “Why is this not labelled? How does a recipient know this is confidential?”
- Metadata Verification: For more technical audits, they may ask to see the “Properties” or tags of a sensitive file to see if the classification is embedded in the metadata.
- Physical Media: They will check if removable media (like external hard drives or encrypted USBs) have a physical sticker or label indicating the data sensitivity.
Labelling Rules Matrix (Audit Prep):
| Classification | Physical Action | Digital Marker | Email Marker |
| Public | No Label Required. | No Label Required. | No Label Required. |
| Internal | No Label (Default). | Header/Footer (Optional). | No Marker (Default). |
| Confidential | “Confidential” Sticker. | Watermark or Header. | Subject: [CONFIDENTIAL]. |
| Strictly Confidential | Sealed Envelope + Sign. | Metadata Tag + Encrypt. | Mandatory Encryption. |
Table of contents
- What is ISO 27001 Annex A 5.13?
- Watch the ISO 27001 Annex A 5.13 Tutorial
- ISO 27001 Annex A 5.13 Podcast
- ISO 27001 Annex A 5.13 Implementation Guidance
- How to implement ISO 27001 Annex A 5.13
- Labelling Rules Matrix
- ISO 27001 Templates
- How to comply
- How to pass the ISO 27001 Annex A 5.13 audit
- What the auditor will check
- Top 3 ISO 27001 Annex A 5.13 Mistakes People Make and How to Avoid Them
- Applicability of ISO 27001 Annex A 5.13 across different business models.
- Fast Track ISO 27001 Annex A 5.13 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 5.13 FAQ
- Related ISO 27001 Controls
- Further Reading
- ISO 27001 controls and attribute values
What is ISO 27001 Annex A 5.13?
ISO 27001 Annex A 5.13 is about the labelling of information which means you need to ensure that important information is clearly marked.
ISO 27001 Annex A 5.13 Labelling Of Information is an ISO 27001 control that requires an organisation to label information in line with the information classification scheme of the organisation.
In the 2022 update to the standard it introduced the use of metadata.
ISO 27001 Annex A 5.13 Purpose
The purpose of ISO 27001 Annex A 5.13 is a to ensure you facilitate the communication of classification of information and support automation of information processing and management.
ISO 27001 Annex A 5.13 Definition
The ISO 27001 standard defines ISO 27001 Annex A 5.13 as:
An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organisation.
ISO 27001:2022 Annex A 5.13 Labelling Of Information
Watch the ISO 27001 Annex A 5.13 Tutorial
In the video ISO 27001 Labelling Of Information (inc metadata) Explained – ISO27001:2022 Annex A 5.13 show you how to implement it and how to pass the audit.
ISO 27001 Annex A 5.13 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.13 Labelling Of Information. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex A 5.13 Implementation Guidance
The prerequisite for the this annex a control is having an information classification scheme in place. We covered information classification in – ISO 27001 Annex A 5.12 Classification of Information Beginner’s Guide
Once you have your classification scheme in place you are going to then label information and assets accordingly.
You are going to have to
- Implement procedures for information labelling
- Cover information and other associated assets in all formats
It is good practice to consider where labelling is omitted such as the case of non confidential information so that we can reduce the workload on people.
The procedures that you write should give guidance on where and how labels are attached and the different types of storage media. You will look at how to label information sent by or stored on physical, electronic and because the standard likes to catch everything, on what it helpfully calls ‘any other format’. Nothing like future proofing for the unknowns.
Of course there may be situations where labelling is not possible, and this is fine, as long as you have covered how to handle those cases. How you handle it may be to tag it with meta data or put in place some other compensating controls such as having an exception list and managing it via risk management.
When you have your labelling processes and procedures you are going to train staff on how to use and follow them and be able to evidence that you did so.
Examples of labelling techniques
Examples of labelling techniques can include:
- Headers and footers
- Metadata
- Physical Labels
- Watermarks
- Rubber Stamps – if you are proper old school
Metadata
Now the standard starts to stray into implementation territory with its guidance on metadata. Metadata has its place but we have to look at the appropriateness of the control to our risk and our organisation. Remember that the annex controls are guidance for consideration and you do not HAVE to implement them, only consider them, so if metadata is not appropriate for you that is fine, just note it down and manage it via your risk management process, accepting the risk.
Where it does apply and makes sense then you are looking at metadata to identify, manage and control information, especially in relation to confidentiality. It can help if it also makes it more efficient for searching for information but you can see here how the standard starts to tell you what to do not what is expected of you. Metadata searching for example is going to be reliant on specific technologies and implementations.
If you are using metadata then your procedures are going to describe how to attach metadata to information, what labels to use and how data should be handled. You are now moving into the realm of massive ball ache territory for your fellow colleagues so think carefully and act proportionately.
How to implement ISO 27001 Annex A 5.13
Implementing ISO 27001 Annex A 5.13 requires a transition from manual tagging to a systematic, metadata-driven labelling framework. By aligning visual markers with technical classification attributes, organisations ensure that every information asset conveys its sensitivity and handling requirements to both human users and automated security systems. This action-orientated guide provides the technical steps necessary to formalise your labelling procedures and achieve audit-ready compliance.
1. Formalise the Information Labelling Procedure
Establish a documented procedure that defines the specific visual and technical markers for each level of your classification scheme. This action results in a standardised framework that eliminates ambiguity in how data sensitivity is communicated across the organisation.
- Define the required placement for visual labels, such as mandatory headers, footers, and watermarks for digital documents.
- Document physical labelling requirements, including the use of tamper-evident stickers and colour-coded folders for highly sensitive physical assets.
- Specify the handling instructions that must accompany each label, such as “Encryption Required” or “Internal Use Only”.
2. Provision Automated Metadata Labelling Tools
Deploy technical solutions to embed persistent classification metadata into digital files and emails. This result-focused step ensures that security labels remain attached to the information, regardless of where it is stored or how it is shared.
- Configure sensitivity labels within your productivity suite (e.g. Microsoft Purview or Google Workspace) to apply X-headers to emails and metadata tags to documents.
- Set up default labelling policies for specific departments or cloud storage repositories to ensure “baseline” protection for all new content.
- Ensure that metadata labels are readable by Data Loss Prevention (DLP) systems to automate the enforcement of transfer restrictions.
3. Execute Content-Aware Auto-Labelling Rules
Implement automated scanning rules to identify and label sensitive information based on its content. This action results in high consistency and reduces the burden on staff to manually classify every piece of data they create.
- Create regex patterns or use built-in classifiers to detect Personal Identifiable Information (PII), financial data, or intellectual property.
- Configure “Recommend” or “Mandatory” labelling prompts that trigger when specific sensitive strings are detected in a document or email.
- Deploy file-system scanners to retrospectively label legacy data sitting in on-premises servers or legacy databases.
4. Formalise Physical Media and Hardware Labelling
Apply physical markers to hardware and removable media to ensure secure handling in non-digital environments. This action extends the security perimeter to physical assets that store or process classified information.
- Affix permanent labels to USB drives, external hard disks, and backup tapes that state the highest classification level they are authorised to store.
- Label IT equipment, such as laptops and servers, to indicate their ownership and the sensitivity of the data they process.
- Implement a secure disposal label for assets reaching end-of-life to ensure they are routed to certified data destruction facilities.
5. Execute Continuous Compliance Monitoring and Training
Establish a programme to monitor the efficacy of your labelling scheme and reinforce secure behaviours through targeted training. This results in a persistent security culture where staff understand the technical and legal implications of the labels they use.
- Perform periodic spot checks of both digital repositories and physical workspaces to verify that information is correctly labelled.
- Conduct user awareness sessions focusing on how to use automated labelling tools and how to interpret the labels of others.
- Review DLP incident logs to identify common mislabelling trends and adjust your auto-labelling rules or training materials accordingly.
Labelling Rules Matrix
| Classification | Physical Document | Digital Document | ISO 27001:2022 Control | |
|---|---|---|---|---|
| Public | No Label Required. | No Label Required. | No Label Required. | Annex A 5.12, 5.13 |
| Internal | No Label (Default). | No Label (Default). | No Label (Default). | Annex A 5.12, 5.13 |
| Confidential | RED STAMP on cover. | Watermark “Confidential”. | Subject Line: [SECURE]. | Annex A 5.13, 8.11 |
| Strictly Confidential | Sealed Envelope + Signature. | Encryption + Metadata Tag. | Encrypted Only. | Annex A 5.13, 8.24 |
ISO 27001 Templates
Having ISO 27001 templates can help fast track your ISO 27001 implementation. The ISO 27001 Toolkit is the ultimate resource for your ISO 27001 certification.
Information Classification and Handling Policy Template
Information Classification Summary Templates
ISO 27001 Documents and Records Policy Template
ISO 27001 Physical Asset Register Template
ISO 27001 Data Asst Register Template
How to comply
To comply with ISO 27001 Annex A 5.13 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to
- Implement your classification scheme
- Implement your asset management and record all your assets in asset registers
- Write, implement and train people on your labelling processes and procedures
- Classify all of your assets and label them appropriately
- Decide if metadata is appropriate to you, to what level and implement to that
How to pass the ISO 27001 Annex A 5.13 audit
To pass an audit of ISO 27001 Annex A 5.13 you are going to make sure that you have followed the steps above in how to comply.
What the auditor will check
The audit is going to check a number of areas. Lets go through them
1. That you have implemented metadata
Remember where I said above the standard has a real hard on now for metadata, well you can bet your bottom dollar that auditors are going to go metadata obsessed. They love a literal interpretation of the standards as if it were handed down by god to Moses. If it is appropriate to you do it, of course. But there is cost in time, resources, money, technology that may just not be appropriate. And that is ok. Document what you are doing, cover it in risk management, have a record of your decision, and what ever level of implementation you do show that you accepted the risk. The argument will come that you have included the control in your SOA and that it applies to you and therefore all of it applies to you. This is partly correct in that you have considered that the control applies to you because labelling information that is confidential and marking information and being able to control information based on labelling makes sense but you did not necessarily sign up carte blanche to an enterprise level metadata solution. Be prepared to fight your corner, it is a risk based system, so manage the risk, don’t just implement controls where they make no sense.
2. That you have processes, have followed them and have trained people
This is obvious but they are going to look that you have documented what you say you do, that you follow it and that you have trained people.
3. Documentation
They are going to look at audit trails and all your documentation and see that is classified and labelled. All the documents that you show them, as a minimum if they are confidential should be labelled as such. Doing anything else would be a massive own goal.
Top 3 ISO 27001 Annex A 5.13 Mistakes People Make and How to Avoid Them
The top 3 Mistakes People Make For ISO 27001 Annex A 5.13 are
1. Your information is not labelled
This is such an easy win for an auditor to check. You will put information in front of them. You will have forgotten to label something. This maybe a HR org chart, a presentation, a PDF, a Visio diagram. Something, somewhere that you have that is confidential will not have been labelled and you will either show it to the auditor or they will ask you for it. Sods law. Check everything before you get audited. Then check it again.
2. One or more members of your team haven’t done what they should have done
Prior to the audit check that all members of the team have done what they should have, understand how to label information and have been trained in it.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Applicability of ISO 27001 Annex A 5.13 across different business models.
| Business Type | Applicability & Interpretation | Examples of Control |
|---|---|---|
| Small Businesses |
Visual Marking. Small teams don’t need expensive DLP software. Compliance is often achieved through “Negative Labelling”—only marking high-risk items. Public/Internal data is left unmarked to save time. |
• File Naming: Appending |
| Tech Startups |
Automated Metadata. Auditors expect “Cloud-Native” labelling. Using features built into Google Workspace or Microsoft 365 to apply “Labels” that travel with the file, rather than relying on users typing manually. |
• Google Drive Labels: Configuring a “Badges” system where files tagged as “Sensitive” automatically trigger external sharing warnings. |
| AI Companies |
Dataset & Output Tagging. Critical for IP and Safety. You must label the source of data (to track copyright) and the output (to identify AI-generated content vs human content). |
• Data Lake Tags: Tagging S3 buckets with metadata keys like |
Fast Track ISO 27001 Annex A 5.13 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 5.13 (Labelling of information), the requirement is to develop and implement procedures for labelling information in accordance with your classification scheme. This ensures everyone knows exactly how to handle a document, whether it’s an email, a physical file, or a digital record.
| Compliance Factor | SaaS Compliance Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Policy Ownership | Rents access to your labeling rules; if you cancel the subscription, your documented metadata standards and history vanish. | Permanent Assets: Fully editable Word/Excel Classification and Handling Policies you own forever. | A localized “Information Labeling Procedure” defining specific watermark requirements for board-level documents. |
| Operational Utility | Attempts to “automate” tagging via dashboards that cannot apply physical rubber stamps or visual watermarks to legacy files. | Governance-First: Formalizes visual, digital, and physical labeling into an auditor-ready framework. | A “Labelling Rules Matrix” mapping classification levels (e.g., Restricted) to specific visual markers (e.g., Red Footer). |
| Cost Efficiency | Charges a “Metadata Tax” based on the number of tagged assets or data volume, creating perpetual overhead as you scale. | One-Off Fee: A single payment covers your labeling governance for 100 files or 1,000,000. | Allocating budget to secure document disposal services rather than monthly “compliance seat” fees for simple tagging. |
| Strategic Freedom | Mandates rigid automated tagging rules that often fail to align with specialized file formats or lean manual workflows. | 100% Agnostic: Procedures adapt to any environment—automated DLP tags, visual headers, or physical labels. | The ability to evolve your data marking strategy (e.g., moving to sensitivity labels in Microsoft 365) without a rigid SaaS middleman. |
Summary: For Annex A 5.13, the auditor wants to see that you have a formal process for labelling information and proof that you follow it (e.g., classified documents and trained staff). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Annex A 5.13 FAQ
What is ISO 27001 Annex A 5.13?
ISO 27001 Annex A 5.13 is an organisational control that requires an appropriate set of procedures for information labelling to be developed and implemented in accordance with the organisation’s information classification scheme.
- Communicates the classification level of information to handlers.
- Ensures appropriate protection and handling based on sensitivity.
- Covers both digital and physical information assets.
- Requires labelling to remain consistent across the entire information lifecycle.
Is information labelling mandatory for ISO 27001?
Yes, if your risk assessment identifies that information assets require classification to ensure secure handling, then labelling becomes a mandatory requirement under Annex A 5.13.
- Essential for maintaining the Confidentiality, Integrity, and Availability of data.
- Required to satisfy Clause 8.2 (Information Classification) in the 2013 standard and 5.12 in the 2022 standard.
- A primary requirement for organisations handling PII, intellectual property, or government data.
What is the difference between Annex A 5.12 and 5.13?
The primary difference is that Annex A 5.12 (Classification) defines the hierarchy and levels of sensitivity, whereas Annex A 5.13 (Labelling) defines the visual or metadata markers used to communicate those levels.
- Annex A 5.12: The “What” – Categorising data (e.g., Public, Internal, Secret).
- Annex A 5.13: The “How” – The actual stickers, headers, footers, or tags applied to that data.
- They are dependent controls; you cannot label information without a classification scheme in place.
How should digital information be labelled?
Digital information should be labelled using a combination of visual markers and embedded metadata to ensure the classification persists regardless of how the file is shared.
- Visual cues: Headers, footers, and watermarks within documents or emails.
- Metadata: File properties or “X-headers” in emails that allow automated systems to enforce security.
- Naming conventions: Including the classification level in the file or folder name.
- Automation tools: Using software like Microsoft Purview or Google Workspace Labels.
Does Annex A 5.13 apply to physical assets?
Yes, physical information such as printed documents, removable media, and storage devices must be labelled to ensure they are handled correctly in non-digital environments.
- Physical stickers or stamps on folders and envelopes.
- Labels on USB drives, external hard drives, and backup tapes.
- Markings on hardware that stores sensitive information.
- Secure disposal instructions printed on highly classified physical assets.
Can information labelling be automated?
Yes, automated labelling is highly recommended for large organisations as it reduces the risk of human error and ensures high levels of consistency.
- Data Loss Prevention (DLP) tools can scan content for keywords and apply labels.
- Email gateways can automatically tag outbound messages based on recipient domains.
- Cloud storage platforms can apply default labels to specific folders or departments.
- Automation ensures that “Confidential” content is never left unlabelled.
What evidence do auditors look for regarding Annex A 5.13?
Auditors expect to see a documented Labelling Procedure and verifiable evidence that the policy is being followed in day-to-day operations.
- The Information Labelling Policy/Procedure document.
- Samples of labelled emails, spreadsheets, and physical documents.
- Screenshots of automated labelling configurations in IAM or DLP tools.
- Evidence of staff training and awareness regarding the labelling scheme.
Related ISO 27001 Controls
ISO 27001 Annex A 5.14 Information Transfer
ISO 27001 Annex A 7.14 Secure Disposal Or Re-Use Of Equipment
Further Reading
ISO 27001 Information Classification and Handling Policy Beginner’s Guide
ISO 27001 controls and attribute values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Protect | Information_protection | Defence |
| Integrity | Protection | |||
| Availability |
