ISO 27001 Annex A 5.13 is all about labelling information. This rule is a key part of your security plan. It makes sure that important data is clearly marked. This helps people know how to handle and share it safely. It also helps computers handle data the right way.
Table of contents
What is labelling of information?
Information labelling is the process of putting classification tags on information assets. In the world of Information Security and Information Management (like the ISO 27001 standard), this is a key procedure.
Why Do We Label Information?
The main goal is to use an organisation’s information classification plan in real life. This plan might classify data as Public, Internal, Confidential, or Highly Sensitive.
Labelling makes it easy to communicate the level of confidentiality, integrity, and availability needed for a piece of information.
How Does Labelling Work?
These labels guide users on how to handle, share, and protect the information. They can also automate security controls. For instance, a document tagged as Confidential might be automatically encrypted or blocked from being shared outside the company network.
Common Labelling Methods
Information can be labelled in several ways:
- Metadata: These are hidden tags put inside digital files.
- Visual Markings: These include headers, footers, or watermarks printed on documents.
- Physical Labels: Stickers or stamps placed on physical folders and files.
What is ISO 27001 Annex A 5.13?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Labelling of Information”.
What is the ISO 27001 Annex A 5.13 control objective?
The formal definition and control objective in the standard is: “An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organisation.“
What is the purpose of ISO 27001 Annex A 5.13?
The purpose of ISO 27001 Annex A 5.13 is “to ensure you facilitate the communication of classification of information and support automation of information processing and management.”
Is ISO 27001 Annex A 5.13 Mandatory?
ISO 27001 Annex A control 5.13 (Labelling of Information in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.13 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
- Make a plan: You must create a set of rules for labeling. This plan should tell you how to label information. It should also cover both paper and digital files.
- Give training: Everyone who works for your company needs to know how to label things. They also need to know what to do with data once it is labeled.
- Use metadata: For digital files, you should use metadata. This is data about data. It helps a computer know what a file is and how to handle it. The new rule from 2022 says you must do this.
- Be careful: Sometimes, labeling something as “secret” can be bad. It can make it easier for people who want to steal data to find it. You should think about this when you make your plan.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
- A plan for labelling.
- Evidence that you have trained your staff on how to use it.
- Examples of your documents to see that they are labeled correctly.
You can learn more about labelling of information and ISO 27001 by watching this video: ISO 27001 Annex A 5.13 Labelling Of Information (inc metadata) Explained
