What is ISO 27001 Annex A 5.13 in ISO 27001?
Annex A 5.13 requires a documented process for labelling information. Organisations must apply labels to digital and physical assets based on classification levels. This process must integrate into SharePoint metadata or document headers. It ensures users understand handling requirements during daily business operations.
Auditor’s Eye: The Shortcut Trap
SaaS compliance platforms often offer automated labelling that users never see. This creates a disconnect between policy and practice. Auditors want to see labels applied within SharePoint or Confluence. This proves that staff interact with the classification system. Native evidence shows genuine management ownership of data. Relying on an external “black box” dashboard rarely satisfies a lead auditor. We need to see that your employees recognise and apply these labels manually.
Transition Table (2013 vs 2022)
| ISO 27001:2013 Reference | ISO 27001:2022 Reference | Change Summary |
|---|---|---|
| A.8.2.2 Labelling of Information | 5.13 Labelling of Information | The control moved to the organisational theme. The requirements remain consistent. |
How to Implement ISO 27001 Annex A 5.13 (Step-by-Step)
Implementation must focus on making labels visible in existing organisational tools. This ensures security rules stay in front of your employees. Avoid software that hides labelling logic from the end-user.
- Configure Metadata Fields: Define classification metadata columns in SharePoint document libraries.
- Standardise Document Templates: Insert dynamic headers or footers in Word and Excel templates via the company wiki.
- Establish Physical Labelling Rules: Document physical marking requirements for removable media and printed assets.
- Automate via Business Rules: Use native Microsoft 365 sensitivity labels to prompt users for classification.
ISO 27001 Annex A 5.13 Audit Evidence Checklist
Auditors look for manual records and internal document versions. These prove human oversight and intent. Focus on the following items:
- Documented labelling procedures within the Information Security Policy.
- Sample SharePoint libraries showing classification metadata columns.
- Standard document templates featuring classification headers.
- Photographic evidence of labels on physical backup media.
- Meeting minutes reviewing labelling compliance spot checks.
Relational Mapping
Annex A 5.13 depends on Clause 5.12 (Classification of Information). You cannot label what you have not classified. It supports Clause 7.10 (Storage Media) by identifying how to handle physical disks. Finally: it informs Clause 8.3 (Information Access Restriction) by providing the metadata needed for access controls.
Auditor Interview
Auditor: How do your staff know a document is “Confidential”?
User: They check the header of the document or the SharePoint metadata column.
Auditor: Who applies these labels to new files?
User: The document creator must select the classification level when saving to SharePoint.
Auditor: How do you manage labels on physical assets like hard drives?
User: We apply physical stickers as defined in our asset handling procedure.
Common Non-Conformities
| Non-Conformity | Description |
|---|---|
| Automated Complacency | Relying on a platform’s green tick without having internal procedural evidence or user awareness. |
| Inconsistent Labelling | Digital files are labelled: but physical printouts of the same data lack markings. |
| Metadata Mismatch | The classification in the document header does not match the SharePoint library metadata. |
Frequently Asked Questions
What is the primary requirement for information labelling?
The primary answer is developing and implementing procedures for labelling information. These procedures must align with the organisation’s classification scheme. Labelling applies to both digital and physical formats. It ensures all users identify the handling requirements of an asset immediately.
How should digital labels be applied?
Digital labels should be applied using internal metadata or visible markings. Use SharePoint columns to categorise documents by sensitivity. Include classification tiers in document headers or footers. This method keeps the security status visible during daily use.
What happens if labelling is omitted?
Omitting labels often leads to the mishandling of sensitive data. Users cannot follow handling rules they cannot see. This increases the risk of data breaches. Auditors view missing labels as a failure of the classification policy.