ISO 27001 Information Labelling | Annex A 5.13 | The Lead Auditor’s Implementation and Audit Guide

/ By

ISO 27001 Annex A 5.13 Labelling of Information is a security control that mandates the application of physical markers and digital metadata tags. The core business benefit is ensuring consistent data protection and enabling automated security enforcement across all information assets.

In this guide, I will show you exactly how to implement ISO 27001 Annex A 8.34 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.13 Labelling of Information

ISO 27001 Annex A 5.13 requires organizations to develop and implement procedures for the labelling of information in accordance with their established classification scheme. While Annex A 5.12 focuses on categorizing the data, this control is about the visual and technical markers that communicate that category to users and systems. The goal is to ensure that everyone handling the data knows its level of sensitivity at a glance, thereby preventing accidental disclosure and supporting the automation of security rules (like data loss prevention).

Core requirements for compliance include:

  • Alignment with Classification: Labels must directly match your classification levels (e.g., Public, Internal, Confidential). If you don’t have a classification scheme yet, you cannot satisfy this control.
  • Format-Agnostic Labelling: Procedures must cover data in all its forms: physical (paper, USBs), digital (Office docs, PDFs), and electronic communications (emails, Slack).
  • Introduction of Metadata: The 2022 update places a high emphasis on Metadata. Digital files should ideally be “tagged” with hidden security labels that automated systems (like DLP or email gateways) can read and act upon.
  • Exceptions Management: You must define when labelling is not required (e.g., for “Public” information) to reduce the administrative burden on staff.
  • Staff Training: Personnel must be trained on how to apply labels (e.g., using a specific header/footer in Word) and what to do when they receive a labelled document.

Audit Focus: Auditors will look for “The Visible Proof”:

  1. Spot Checks: They will pick a random internal report or email and ask: “Why is this not labelled? How does a recipient know this is confidential?”
  2. Metadata Verification: For more technical audits, they may ask to see the “Properties” or tags of a sensitive file to see if the classification is embedded in the metadata.
  3. Physical Media: They will check if removable media (like external hard drives or encrypted USBs) have a physical sticker or label indicating the data sensitivity.

Labelling Rules Matrix (Audit Prep):

ClassificationPhysical ActionDigital MarkerEmail Marker
PublicNo Label Required.No Label Required.No Label Required.
InternalNo Label (Default).Header/Footer (Optional).No Marker (Default).
Confidential“Confidential” Sticker.Watermark or Header.Subject: [CONFIDENTIAL].
Strictly ConfidentialSealed Envelope + Sign.Metadata Tag + Encrypt.Mandatory Encryption.

Table of contents

Stop Guessing. Start Passing.

AI-generated policies are generic and fail audits. Our Lead-Auditor templates have a 100% success rate. Don’t risk your certification on a prompt

Get the Auditor-Proven Toolkit.
Fay Barker - High Table - ISO27001 Director

What is ISO 27001 Annex A 5.13?

ISO 27001 Annex A 5.13 is about the labelling of information which means you need to ensure that important information is clearly marked.

ISO 27001 Annex A 5.13 Labelling Of Information is an ISO 27001 control that requires an organisation to label information in line with the information classification scheme of the organisation.

In the 2022 update to the standard it introduced the use of metadata.

ISO 27001 Annex A 5.13 Purpose

The purpose of ISO 27001 Annex A 5.13 is a to ensure you facilitate the communication of classification of information and support automation of information processing and management.

ISO 27001 Annex A 5.13 Definition

The ISO 27001 standard defines ISO 27001 Annex A 5.13 as:

An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organisation.

ISO 27001:2022 Annex A 5.13 Labelling Of Information

Watch the ISO 27001 Annex A 5.13 Tutorial

In the video ISO 27001 Labelling Of Information (inc metadata) Explained – ISO27001:2022 Annex A 5.13 show you how to implement it and how to pass the audit.

ISO 27001 Annex A 5.13 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.13 Labelling Of Information. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 5.13 Implementation Guidance

The prerequisite for the this annex a control is having an information classification scheme in place. We covered information classification in – ISO 27001 Annex A 5.12 Classification of Information Beginner’s Guide

Once you have your classification scheme in place you are going to then label information and assets accordingly.

You are going to have to

  • Implement procedures for information labelling
  • Cover information and other associated assets in all formats

It is good practice to consider where labelling is omitted such as the case of non confidential information so that we can reduce the workload on people.

The procedures that you write should give guidance on where and how labels are attached and the different types of storage media. You will look at how to label information sent by or stored on physical, electronic and because the standard likes to catch everything, on what it helpfully calls ‘any other format’. Nothing like future proofing for the unknowns.

Of course there may be situations where labelling is not possible, and this is fine, as long as you have covered how to handle those cases. How you handle it may be to tag it with meta data or put in place some other compensating controls such as having an exception list and managing it via risk management.

When you have your labelling processes and procedures you are going to train staff on how to use and follow them and be able to evidence that you did so.

Examples of labelling techniques

Examples of labelling techniques can include:

  • Headers and footers
  • Metadata
  • Physical Labels
  • Watermarks
  • Rubber Stamps – if you are proper old school

Metadata

Now the standard starts to stray into implementation territory with its guidance on metadata. Metadata has its place but we have to look at the appropriateness of the control to our risk and our organisation. Remember that the annex controls are guidance for consideration and you do not HAVE to implement them, only consider them, so if metadata is not appropriate for you that is fine, just note it down and manage it via your risk management process, accepting the risk.

Where it does apply and makes sense then you are looking at metadata to identify, manage and control information, especially in relation to confidentiality. It can help if it also makes it more efficient for searching for information but you can see here how the standard starts to tell you what to do not what is expected of you. Metadata searching for example is going to be reliant on specific technologies and implementations.

If you are using metadata then your procedures are going to describe how to attach metadata to information, what labels to use and how data should be handled. You are now moving into the realm of massive ball ache territory for your fellow colleagues so think carefully and act proportionately.

How to implement ISO 27001 Annex A 5.13

Implementing ISO 27001 Annex A 5.13 requires a transition from simple data categorisation to a technical enforcement layer where every piece of information is visibly or digitally marked. As a Lead Auditor, I look for “The Marking Gap,” which is the space between your classification policy and the actual appearance of labels on your assets. This guide provides the action-result steps necessary to ensure your labelling scheme is audit-ready and technically robust.

1. Formalise the Information Labelling Policy

  • Develop a formalised policy that defines how every classification tier (Public, Internal, Confidential, Secret) is visually and technically represented.
  • Assign specific responsibilities to Information Asset Owners to ensure they are accountable for the labelling of data under their jurisdiction.
  • Ensure the policy explicitly covers all formats, including digital files, physical printouts, and portable storage media.

2. Define Visual Labelling Standards

  • Define standardised headers, footers, and watermarks for digital documents to ensure classification levels are immediately apparent to users.
  • Create visual templates for emails and slide decks that force the inclusion of a classification marker before distribution.
  • Establish clear colour-coding or iconography for physical files and media to simplify identification in a physical office environment.

3. Configure Technical Metadata Tags

  • Configure metadata properties within your productivity suites (such as Microsoft 365 or Google Workspace) to embed classification tags directly into file properties.
  • Ensure that metadata tags are persistent, meaning the label remains attached even when the file is renamed or moved to different storage tiers.
  • Enable technical tagging for databases and structured data to allow automated systems to identify sensitive records.

4. Provision Data Loss Prevention (DLP) Software

  • Provision a Data Loss Prevention (DLP) solution that scans for technical metadata tags to prevent unauthorised sharing of sensitive information.
  • Set up automated alerts and blocking rules that trigger when a user attempts to upload a “Confidential” or “Secret” labelled file to a public cloud or external drive.
  • Result: Technical enforcement of labels significantly reduces the risk of accidental data exfiltration.

5. Apply Physical Labels to Hardware and Media

  • Apply tamper-evident classification labels to physical hardware, including laptops, servers, and removable backup drives.
  • Ensure that “Secret” or high-risk media is stored in labelled, secure containers within restricted zones to meet physical security requirements.
  • Include classification markings on backup tapes and archived hard copies to ensure consistent protection during long-term storage.

6. Synchronise Labels with the Data Asset Register

  • Synchronise every labelled asset with your centralised Data Asset Register (A.5.9) to ensure the classification level matches the inventory record.
  • Update the register dynamically whenever an asset is re-labelled or its classification status is modified.
  • Result: Auditors can verify the integrity of your classification scheme by cross-referencing physical labels with digital records.

7. Enshrine Handling Rules in ROE Documents

  • Enshrine specific handling requirements in your Rules of Engagement (ROE) documents for every label type, such as “Confidential data must be encrypted in transit.”
  • Link labelling directly to access control by requiring Multi-Factor Authentication (MFA) for any system housing data labelled “Internal” or higher.
  • Define specific disposal methods for each label, such as cryptographic wiping for digital media or cross-cut shredding for labelled paper.

8. Execute Role-Based Labelling Training

  • Execute mandatory training sessions that teach employees how to apply labels using your chosen technical tools and visual standards.
  • Provide specific guidance for high-risk roles, such as HR or Finance, where the volume of “Confidential” labelled data is highest.
  • Verify employee understanding through simulated data handling tests to ensure labels are applied correctly in practice.

9. Audit the Compliance Marking Gap

  • Audit your digital and physical repositories periodically to identify assets that are classified but unlabelled.
  • Use automated discovery tools to scan for “Confidential” strings in files that lack the corresponding metadata tags.
  • Result: Systematic auditing identifies control failures before they result in a non-conformity during a certification audit.

10. Review and Revoke Outdated Labels

  • Review classification labels annually to determine if the sensitivity of the data has decreased over time.
  • Revoke or downgrade labels for project data that has entered the public domain or lost its strategic value.
  • Result: Proper lifecycle management prevents “Classification Creep” and reduces the administrative burden on your security team.

I’ve sat in the Auditor’s chair for 20 years. These are the exact tools I use to guarantee a pass.

Get the Auditor-Proven Toolkit.
Stuart Barker - High Table - ISO27001 Director

ISO 27001 Annex A 5.13 Implementation Checklist

ISO 27001 Annex A 5.13 Labelling of Information Implementation Checklist
Step What to Implement Implementation Examples & Guidance
1 Labelling Policy Establish a formal policy defining how different classification levels (e.g., Secret, Internal) must be visually and digitally marked.
2 Classification Alignment Ensure every label directly maps to a level defined in your Information Classification Scheme.
3 Physical Asset Labelling Apply physical stickers or tags to hardware, removable media, and paper files containing sensitive information.
4 Digital Metadata Tagging Configure Office 365 or Google Workspace to embed classification metadata into document properties for automated handling.
5 Visual Header/Footer Markers Standardise the use of “OFFICIAL-SENSITIVE” or “CONFIDENTIAL” in the headers and footers of all digital documents.
6 Email Subject Line Labelling Implement mandatory subject line prefixes (e.g., [PROTECT]) for outbound emails containing PII or intellectual property.
7 Removable Media Controls Label USB drives and encrypted hard drives with owner details and the highest classification level they are authorised to hold.
8 Automated Labelling Tools Deploy Data Loss Prevention (DLP) software to automatically suggest or enforce labels based on content recognition.
9 Employee Training Conduct targeted workshops to ensure staff can distinguish between labels and understand the handling requirements for each.
10 Compliance Monitoring Perform regular spot checks and internal audits to verify that labels are being applied consistently across all departments.

How to audit ISO 27001 Annex A 5.13

As an ISO 27001 Lead Auditor, I have conducted hundreds of audits where the “Label Gap” is the most frequent cause of non-conformity. It is one thing to classify data in a register, but quite another to ensure that every document, email, and database entry carries a clear, actionable marker. This 10-step audit framework is designed to help you probe the effectiveness of your labelling controls, verifying that your technical metadata and visual markers align with your Information Classification Policy to guarantee a successful certification outcome.

1. Define the Audit Scope and Sampling Criteria

  • Identify the primary repositories of classified information, including cloud storage, local servers, and physical filing systems.
  • Select a representative sample of assets from the Data Asset Register across all classification tiers: Public, Internal, Confidential, and Secret.
  • Ensure the audit scope includes both structured data, such as databases, and unstructured data, such as ad hoc emails and chat logs.

2. Evaluate the Information Labelling Procedure

  • Review the formalised labelling procedure to ensure it provides specific instructions for different media types and formats.
  • Verify that the procedure defines responsibilities for labelling, specifically for the Information Asset Owner.
  • Check that the labelling rules are consistent with the requirements of relevant laws, such as GDPR or the UK Data Act 2025.

3. Inspect Visual Labelling on Digital Documents

  • Examine a sample of Confidential and Secret documents to verify the presence of clear visual markers, such as headers, footers, or watermarks.
  • Confirm that the visual labels match the classification level recorded in the Data Asset Register for that specific file.
  • Validate that templates for internal reports and presentations include pre-defined labelling fields to reduce human error.

4. Validate Technical Metadata and Automated Tagging

  • Probe the file properties of sensitive documents to verify that classification metadata is correctly embedded.
  • Check that automated labelling tools, such as those within Microsoft Purview or similar suites, are correctly applying tags based on content sensitivity.
  • Ensure that metadata persists when files are converted between formats, such as moving from a Word document to a PDF.

5. Audit Email Transmission and Marking

  • Inspect a sample of outgoing emails to verify that classification markers are included in the subject line or body when sensitive data is attached.
  • Confirm that Data Loss Prevention (DLP) rules are configured to trigger warnings or blocks when unlabelled sensitive information is sent externally.
  • Verify that encryption is automatically applied to emails carrying labels designated as Confidential or Secret.

6. Examine Physical Media and Hard Copy Controls

  • Audit physical media, such as USB drives and backup tapes, to ensure they carry a permanent, visible classification label.
  • Inspect printed reports containing sensitive data to verify that the classification is visible on every page, not just the cover.
  • Verify that secure disposal bins are labelled and used correctly for the destruction of classified hard copies.
  • Check that the Rules of Engagement (ROE) for physical handling are understood by staff working in high-security zones.

7. Probe Information Owner Accountability

  • Interview selected Asset Owners to verify they have reviewed and authorised the labels applied to the assets under their control.
  • Check that the Asset Owner has approved any deviations from standard labelling rules for specific technical or operational reasons.
  • Review the Data Asset Register to ensure that labelling status is a documented field for every critical asset.

8. Test Staff Competency and Awareness

  • Conduct random interviews with employees to test their understanding of the organisation’s labelling symbols and terminology.
  • Ask employees to demonstrate how they would apply a label to a newly created Confidential asset.
  • Review training logs to confirm that all staff have completed recent modules on Information Labelling and Annex A 5.13 requirements.

9. Verify Integration with Access Control Mechanisms

  • Confirm that Identity and Access Management (IAM) roles are restricted based on the labels applied to data repositories.
  • Verify that Multi-Factor Authentication (MFA) is required to access any system or folder containing data labelled as Confidential or Secret.
  • Check that system logs record attempts to access or modify labelling metadata by unauthorised users.

10. Document Findings and Remediation Actions

  • Formalise the audit results into a clear report, identifying any instances of the “Label Gap” where assets are unlabelled or mislabelled.
  • Categorise non-conformities by risk level to prioritise the remediation of the most sensitive data exposures.
  • Schedule a follow-up audit to verify that corrective actions, such as updated DLP rules or staff re-training, have been successfully implemented.

The Tools We Use.

100% Audit Success. Zero AI Guesswork.

Get the Auditor-Proven Toolkit.
Stuart and Fay High Table

ISO 27001 Annex A 5.13 Audit Checklist

ISO 27001 Annex A 5.13 Labelling of Information Audit Checklist
Step What to Audit Audit Evidence & Examples GRC Platform Check
1 Labelling Policy Governance Evidence of a formalised policy defining labelling standards for digital and physical assets. Verify document version control and owner approval in GRC library.
2 Classification Alignment Check that labels used (e.g., Confidential) map exactly to the Annex A 5.12 classification scheme. Cross-reference labelling rules against the Classification Policy in the GRC.
3 Visual Metadata Check Sample check of PDF and Word documents for visual headers, footers, or watermarks. Upload sample evidence to the ‘Control Effectiveness’ module.
4 Digital Metadata Tagging Inspect file properties in Microsoft 365 or Google Workspace for embedded classification tags. Confirm automated DLP metadata integration via GRC technical API logs.
5 Physical Media Labelling Visual inspection of removable media (USBs, Hard Drives) and physical filing cabinets. Review ‘Physical Asset Audit’ logs within the GRC Asset Register.
6 Email Communication Review sent items for subject line labelling (e.g., [OFFICIAL-SENSITIVE]) for high-risk data. Check automated email gateway policy reports attached to the control.
7 Output Handling Verify that printed reports containing sensitive data are automatically labelled by the system. Review system configuration screenshots stored in the GRC evidence locker.
8 Training Awareness Interview staff to ensure they understand how to apply and interpret information labels. Review employee training completion rates in the GRC compliance dashboard.
9 Third-Party Compliance Audit whether information shared with partners maintains the required labelling standards. Verify vendor handling instructions in the GRC Third-Party Risk module.
10 Non-Compliance Review Check for instances of unlabelled assets and the subsequent corrective actions taken. Inspect the ‘Non-Conformance’ log for labelling-related security incidents.

Labelling Rules Matrix

Classification Physical Document Digital Document Email ISO 27001:2022 Control
Public No Label Required. No Label Required. No Label Required. Annex A 5.12, 5.13
Internal No Label (Default). No Label (Default). No Label (Default). Annex A 5.12, 5.13
Confidential RED STAMP on cover. Watermark “Confidential”. Subject Line: [SECURE]. Annex A 5.13, 8.11
Strictly Confidential Sealed Envelope + Signature. Encryption + Metadata Tag. Encrypted Only. Annex A 5.13, 8.24

ISO 27001 Templates

Having ISO 27001 templates can help fast track your ISO 27001 implementation. The ISO 27001 Toolkit is the ultimate resource for your ISO 27001 certification.

Information Classification and Handling Policy Template

ISO 27001 Information Classification and Handling Policy - ISO 27001 Annex A 5.13 Template

Information Classification Summary Templates

ISO 27001 Information Classification Summary - ISO 27001 Annex A 5.13 Template

ISO 27001 Documents and Records Policy Template

ISO 27001 Documents and Records Policy - ISO 27001 Annex A 5.13 Template

ISO 27001 Physical Asset Register Template

ISO 27001 Physical Asset Register - ISO 27001 Annex A 5.13 Template

ISO 27001 Data Asst Register Template

ISO 27001 Data Asset Register - ISO 27001 Annex A 5.13 Template

How to comply

To comply with ISO 27001 Annex A 5.13 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to

  • Implement your classification scheme
  • Implement your asset management and record all your assets in asset registers
  • Write, implement and train people on your labelling processes and procedures
  • Classify all of your assets and label them appropriately
  • Decide if metadata is appropriate to you, to what level and implement to that

How to pass the ISO 27001 Annex A 5.13 audit

To pass an audit of ISO 27001 Annex A 5.13 you are going to make sure that you have followed the steps above in how to comply.

What the auditor will check

The audit is going to check a number of areas. Lets go through them

1. That you have implemented metadata

Remember where I said above the standard has a real hard on now for metadata, well you can bet your bottom dollar that auditors are going to go metadata obsessed. They love a literal interpretation of the standards as if it were handed down by god to Moses. If it is appropriate to you do it, of course. But there is cost in time, resources, money, technology that may just not be appropriate. And that is ok. Document what you are doing, cover it in risk management, have a record of your decision, and what ever level of implementation you do show that you accepted the risk. The argument will come that you have included the control in your SOA and that it applies to you and therefore all of it applies to you. This is partly correct in that you have considered that the control applies to you because labelling information that is confidential and marking information and being able to control information based on labelling makes sense but you did not necessarily sign up carte blanche to an enterprise level metadata solution. Be prepared to fight your corner, it is a risk based system, so manage the risk, don’t just implement controls where they make no sense.

2. That you have processes, have followed them and have trained people

This is obvious but they are going to look that you have documented what you say you do, that you follow it and that you have trained people.

3. Documentation

They are going to look at audit trails and all your documentation and see that is classified and labelled. All the documents that you show them, as a minimum if they are confidential should be labelled as such. Doing anything else would be a massive own goal.

Top 3 ISO 27001 Annex A 5.13 Mistakes People Make and How to Avoid Them

The top 3 Mistakes People Make For ISO 27001 Annex A 5.13 are

1. Your information is not labelled

This is such an easy win for an auditor to check. You will put information in front of them. You will have forgotten to label something. This maybe a HR org chart, a presentation, a PDF, a Visio diagram. Something, somewhere that you have that is confidential will not have been labelled and you will either show it to the auditor or they will ask you for it. Sods law. Check everything before you get audited. Then check it again.

2. One or more members of your team haven’t done what they should have done

Prior to the audit check that all members of the team have done what they should have, understand how to label information and have been trained in it.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Applicability of ISO 27001 Annex A 5.13 across different business models.

Business Type Applicability & Interpretation Examples of Control
Small Businesses

Visual Marking. Small teams don’t need expensive DLP software. Compliance is often achieved through “Negative Labelling”—only marking high-risk items. Public/Internal data is left unmarked to save time.

File Naming: Appending [CONFIDENTIAL] to sensitive payroll or strategy files so the status is visible even without opening the document. • Headers/Footers: Adding a simple “Strictly Confidential” footer to Word documents before exporting them to PDF for clients.
Tech Startups

Automated Metadata. Auditors expect “Cloud-Native” labelling. Using features built into Google Workspace or Microsoft 365 to apply “Labels” that travel with the file, rather than relying on users typing manually.

Google Drive Labels: Configuring a “Badges” system where files tagged as “Sensitive” automatically trigger external sharing warnings. • Repo Tags: Marking GitHub repositories as Public vs Private explicitly in the README to prevent accidental forking of proprietary code.
AI Companies

Dataset & Output Tagging. Critical for IP and Safety. You must label the source of data (to track copyright) and the output (to identify AI-generated content vs human content).

Data Lake Tags: Tagging S3 buckets with metadata keys like classification=pii-sensitive to block unauthorized read access. • Provenance Labelling: Watermarking AI-generated images or adding metadata to JSON outputs indicating “Model: GPT-4” to track content origin.
Applicability of ISO 27001 Annex A 5.13 across different business models.

Fast Track ISO 27001 Annex A 5.13 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 5.13 (Labelling of information), the requirement is to develop and implement procedures for labelling information in accordance with your classification scheme. This ensures everyone knows exactly how to handle a document, whether it’s an email, a physical file, or a digital record.

Compliance Factor SaaS Compliance Platforms High Table ISO 27001 Toolkit Audit Evidence Example
Policy Ownership Rents access to your labeling rules; if you cancel the subscription, your documented metadata standards and history vanish. Permanent Assets: Fully editable Word/Excel Classification and Handling Policies you own forever. A localized “Information Labeling Procedure” defining specific watermark requirements for board-level documents.
Operational Utility Attempts to “automate” tagging via dashboards that cannot apply physical rubber stamps or visual watermarks to legacy files. Governance-First: Formalizes visual, digital, and physical labeling into an auditor-ready framework. A “Labelling Rules Matrix” mapping classification levels (e.g., Restricted) to specific visual markers (e.g., Red Footer).
Cost Efficiency Charges a “Metadata Tax” based on the number of tagged assets or data volume, creating perpetual overhead as you scale. One-Off Fee: A single payment covers your labeling governance for 100 files or 1,000,000. Allocating budget to secure document disposal services rather than monthly “compliance seat” fees for simple tagging.
Strategic Freedom Mandates rigid automated tagging rules that often fail to align with specialized file formats or lean manual workflows. 100% Agnostic: Procedures adapt to any environment—automated DLP tags, visual headers, or physical labels. The ability to evolve your data marking strategy (e.g., moving to sensitivity labels in Microsoft 365) without a rigid SaaS middleman.

Summary: For Annex A 5.13, the auditor wants to see that you have a formal process for labelling information and proof that you follow it (e.g., classified documents and trained staff). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

Standard / Regulation Specific Reference Auditor’s Perspective on Relationship
NIST CSF 2.0 PR.DS-10 (Data Management) NIST CSF 2.0 explicitly requires data to be managed throughout its life cycle. Labelling is the primary mechanism to ensure that data-at-rest and data-in-transit are handled according to their sensitivity.
NIST SP 800-53 Rev 5 MP-3 (Media Marking) This is the direct US federal equivalent. It mandates that information system media (both digital and physical) are marked with the appropriate security attributes.
GDPR / UK Data (Use and Access) Act 2025 Articles 5(1)(f) and 32 The 2025 UK Act simplifies administration but maintains the ‘Integrity and Confidentiality’ principle. Labelling is your primary evidence that you can distinguish Personal Data (PII) from non-personal data to apply the correct security thresholds.
NIS2 Directive (EU) / UK Cyber Security & Resilience Bill Article 21 (Risk Management) As the UK Bill expands mandatory reporting to MSPs, labelling becomes critical for incident classification. You cannot report an incident accurately if you cannot identify the sensitivity of the impacted data labels.
DORA (Digital Operational Resilience Act) Article 8 (ICT Asset Management) DORA requires financial entities to identify and classify all ICT assets. Annex A 5.13 is the operational ‘arm’ that makes this classification visible to the users and systems.
SOC 2 (Trust Services Criteria) CC6.1 / CC6.3 (Logical Access) While SOC 2 is less prescriptive than ISO, auditors look for ‘Data Classification and Labelling’ as part of the Confidentiality and Privacy criteria to ensure that sensitive data is protected from unauthorised access.
EU AI Act Article 10 (Data Governance) For high-risk AI systems, labelling is mandatory for training, validation, and testing datasets. It ensures the provenance and ‘cleanliness’ of data, preventing poisonous data from entering the model.
CIRCIA (USA) Section 2242 (Incident Reporting) CIRCIA requires 72-hour reporting for critical sectors. Labelling allows your SOC team to instantly determine if the breached data belongs to a ‘Covered Entity’ or contains ‘Covered Information’ requiring a report.
EU Product Liability Directive (PLD) Article 6 (Defectiveness) Under the update, a lack of metadata or labelling indicating security status could be seen as a ‘defect’ in software products. Labelling acts as a defence, proving the product provided ‘expected’ security warnings.
ECCF (European Cybersecurity Certification Framework) Harmonised Security Labels The ECCF aims for EU-wide labels for ICT products. Annex A 5.13 aligns your internal data labelling with the external consumer-facing security labels mandated by this framework.
HIPAA (USA) 45 CFR § 164.310(d)(1) Specifically for health data, Media Controls require you to track the movement of PHI. Labelling media is the only way to ensure that any staff member can identify PHI at a glance.
California Privacy (CCPA/CPRA) Data Minimization / Purpose California law requires businesses to handle PI with care. Labelling allows for automated data deletion and access requests, as you can filter by the specific ‘Personal Information’ tag.
ISO/IEC 42001 (AI Management) Annex A 6.2.2 (Data for AI) This is the new gold standard for AI. It specifically references the need for data quality and labelling to ensure that AI models are built on transparent and classified information sets.

ISO 27001:2013 vs 2022: What Changed for Labelling?

In the 2013 iteration of the standard, this control was known as Control 8.2.2. Back then, the focus was heavily placed on physical markings: watermarks, rubber stamps, and headers on printed documents. In the 2022 update, it transitioned to Annex A 5.13, and the expectations shifted dramatically.

The 2022 standard introduces a heavy emphasis on metadata. Auditors no longer just want to see a “Confidential” header on a PDF. They want to see that the digital properties of that file contain a hidden classification tag that your automated security tools (like Data Loss Prevention software) can read and act upon. The focus has moved from human-readable labels to machine-readable labels.

How to Measure Labelling Success (KPIs)

During your Management Review meetings, you need to prove to your leadership team that your labelling procedures actually work. As an auditor, I want to see that you are tracking metrics. Here are the Key Performance Indicators (KPIs) you should monitor for Annex A 5.13:

  • Automated Tagging Rate: The percentage of new documents generated in your cloud environment that have an automated metadata label applied (Target: 100% for sensitive folders).
  • DLP Block Events: The number of times your Data Loss Prevention software successfully blocked an email or transfer based on a “Confidential” metadata tag.
  • Audit Non-Conformities: The number of unlabelled physical or digital assets discovered during your internal spot-checks.

Downgrading and De-labelling Information

One of the biggest mistakes organisations make is leaving high-security labels on data forever. This is called “Classification Creep.” If an internal project strategy is labelled “Strictly Confidential,” what happens when that project is officially launched to the public?

Your Information Labelling Policy must include a procedure for downgrading or removing labels. Information Asset Owners must have the authority to declassify data when it loses its sensitivity. If you fail to do this, your automated security tools will eventually choke your business operations by blocking harmless files.

Labelling Unstructured Data and AI Prompts

It is easy to label a formal Word document. It is much harder to label a Slack message or a prompt typed into ChatGPT. Unstructured data is a massive blind spot for most organisations.

Your procedures must establish rules for these environments. For example, you should mandate that internal messaging platforms (like Teams or Slack) are treated as “Internal” environments by default, and that users are strictly prohibited from pasting “Confidential” data into public Generative AI tools without explicit redaction or masking (Annex A 8.11). For highly sensitive channels, use the channel name itself as the label (e.g., #project-apollo-SECRET).

How to Handle Legacy Data (The 10-Terabyte Problem)

When you implement Annex A 5.13, a terrifying question always arises: what do we do about the ten terabytes of historical data sitting on our legacy servers? Do we have to open every single file created since 2015 and add a watermark?

As a Lead Auditor, let me save you hundreds of hours of wasted time. The answer is no. You do not need to retroactively label individual legacy files. The accepted industry practice is called “Container Labelling.” You simply move all legacy data into a segregated, secure archive folder. You then apply the highest necessary classification label to that parent folder. As long as the container is labelled and access is restricted, you satisfy the requirement.

Third-Party Label Mapping

Your classification scheme is unique to your business. You might use “Public, Internal, and Confidential.” Your biggest enterprise client might use “Unclassified, Official, Secret, and Top Secret.” When you exchange data, this creates a massive compliance conflict.

If a client sends you an “Official” document, how are your staff supposed to label it in your system? To solve this, you must include a Label Mapping matrix in your supplier agreements or Non-Disclosure Agreements (NDAs). This simple table legally defines that the client’s “Official” data will be treated and labelled exactly as your “Confidential” data. This proves to an auditor that you maintain control of data even when it crosses corporate boundaries.

Avoiding Label Fatigue

If you force your employees to manually select a classification label every time they save a blank document or send a mundane email, you will create “Label Fatigue.” When security becomes annoying, staff will find a way to bypass it. They will start labelling everything as “Public” just to clear the pop-up screens from their monitors.

The smartest implementations rely on “Default Labelling.” Configure your IT systems to automatically tag all newly created documents and emails as “Internal” in the background. Staff only need to actively engage with the labelling process when they are upgrading a document to “Confidential” or downgrading it to “Public.” Make compliance as invisible as possible.

The ERP and CRM Blindspot (System-Generated Outputs)

People obsess over Microsoft Word and email. They completely forget about the automated reports exported from their CRM, HR systems, or financial software. When your accounting platform spits out a weekly payroll CSV, does it have a label?

As an auditor, I love asking users to generate a live system export. If your core business systems cannot automatically inject a visual header or metadata tag into the exported file, you have a gap. You must either upgrade the system configuration to include default labels on exports, or you must have a strict procedure requiring the user to manually label the file the second it hits their downloads folder.

Labelling Databases and Structured Data

You cannot put a “Confidential” watermark on a SQL database row or an AWS DynamoDB table. So how do you satisfy Annex A 5.13 for structured backend data? You do not need to label individual records.

The accepted method is “Schema Labelling.” You document your database architecture and apply the classification label to the data dictionary. For example, your documentation will explicitly state that the “Customer_Credit_Card” column is classified as “Secret.” You then use Role-Based Access Control to lock down that column. In this scenario, the architectural documentation serves as the label.

The Visual Clutter Trap

Here is a very practical piece of advice. I frequently see companies apply massive, dark grey watermarks diagonally across their documents to prove they are compliant. The problem is that it makes the text completely unreadable.

Security should never destroy usability. If your staff cannot easily read a document, they will copy and paste the text into an unlabelled, unprotected Notepad file just so they can do their jobs. Keep your visual markers small, professional, and tucked neatly into the header or footer. A simple red “CONFIDENTIAL” in the top right corner is far more effective than a giant watermark.

ISO 27001 Annex A 5.13 FAQ

What is ISO 27001 Annex A 5.13?

ISO 27001 Annex A 5.13 is an organisational control that requires an appropriate set of procedures for information labelling to be developed and implemented in accordance with the organisation’s information classification scheme.

  • Communicates the classification level of information to handlers.
  • Ensures appropriate protection and handling based on sensitivity.
  • Covers both digital and physical information assets.
  • Requires labelling to remain consistent across the entire information lifecycle.

Is information labelling mandatory for ISO 27001?

Yes, if your risk assessment identifies that information assets require classification to ensure secure handling, then labelling becomes a mandatory requirement under Annex A 5.13.

  • Essential for maintaining the Confidentiality, Integrity, and Availability of data.
  • Required to satisfy Clause 8.2 (Information Classification) in the 2013 standard and 5.12 in the 2022 standard.
  • A primary requirement for organisations handling PII, intellectual property, or government data.

What is the difference between Annex A 5.12 and 5.13?

The primary difference is that Annex A 5.12 (Classification) defines the hierarchy and levels of sensitivity, whereas Annex A 5.13 (Labelling) defines the visual or metadata markers used to communicate those levels.

  • Annex A 5.12: The “What” – Categorising data (e.g., Public, Internal, Secret).
  • Annex A 5.13: The “How” – The actual stickers, headers, footers, or tags applied to that data.
  • They are dependent controls; you cannot label information without a classification scheme in place.

How should digital information be labelled?

Digital information should be labelled using a combination of visual markers and embedded metadata to ensure the classification persists regardless of how the file is shared.

  • Visual cues: Headers, footers, and watermarks within documents or emails.
  • Metadata: File properties or “X-headers” in emails that allow automated systems to enforce security.
  • Naming conventions: Including the classification level in the file or folder name.
  • Automation tools: Using software like Microsoft Purview or Google Workspace Labels.

Does Annex A 5.13 apply to physical assets?

Yes, physical information such as printed documents, removable media, and storage devices must be labelled to ensure they are handled correctly in non-digital environments.

  • Physical stickers or stamps on folders and envelopes.
  • Labels on USB drives, external hard drives, and backup tapes.
  • Markings on hardware that stores sensitive information.
  • Secure disposal instructions printed on highly classified physical assets.

Can information labelling be automated?

Yes, automated labelling is highly recommended for large organisations as it reduces the risk of human error and ensures high levels of consistency.

  • Data Loss Prevention (DLP) tools can scan content for keywords and apply labels.
  • Email gateways can automatically tag outbound messages based on recipient domains.
  • Cloud storage platforms can apply default labels to specific folders or departments.
  • Automation ensures that “Confidential” content is never left unlabelled.

What evidence do auditors look for regarding Annex A 5.13?

Auditors expect to see a documented Labelling Procedure and verifiable evidence that the policy is being followed in day-to-day operations.

  • The Information Labelling Policy/Procedure document.
  • Samples of labelled emails, spreadsheets, and physical documents.
  • Screenshots of automated labelling configurations in IAM or DLP tools.
  • Evidence of staff training and awareness regarding the labelling scheme.

How does labelling impact compliance with the UK Data (Use and Access) Act 2025?

Under the UK Data (Use and Access) Act 2025, labelling is the critical mechanism for identifying data types that qualify for reduced administrative burdens, such as scientific research data. By accurately labelling 100% of PII, organisations ensure they meet the updated security thresholds while streamlining cross-border data flows under the new UK legislative framework.

ISO 27001 controls and attribute values

Control typeInformation security propertiesCybersecurity conceptsOperational capabilitiesSecurity domains
PreventiveConfidentialityProtectInformation_protectionDefence
IntegrityProtection
Availability
, , , , , , ,

About the author

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top