The basics
ISO 27001 control A.5.13 Labelling of information requires companies to label information according to the defined classification scheme, in order to ensure that everyone understands how sensitive information is.
Documentation
ISO 27001 control A.5.13 Labelling of information can be documented by including it in the Classification Policy for mid-sized companies or by creating a separate Labelling Procedure for larger companies. These documents are not mandatory, but they are recommended.
Implementation
In order to comply with control A.5.13 Labelling of information you might implement the following:
- Technology — the technology to implement classification labeling in most cases will be already available in the company. Companies of all sizes will probably be able to label information using office applications (e.g., text processors or spreadsheets) to include classification label in documents or files names, or information systems to include classification label in the system’s screens.
- Organization/processes — you should set up a process for defining the responsibilities for applying labels, the layout of labels, and how to apply them. You can document those processes through an Information Classification Policy or a Labelling Procedure.
- People — make employees aware of why information labeling is needed and train them on how to apply classification labels.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.5.13 Labelling of information: if there are procedures for labeling of classified information, and if all the data, documents, and applications are labeled.
