If you have already worked through your information classification scheme in Annex A 5.12, you have essentially decided how valuable your data is. But classification is only half the battle; the next step is making those decisions visible to the people and systems that handle the data. This is where Annex A 5.13, “Labelling of information,” comes in.
In the transition from the 2013 version to the 2022 update, this control (formerly known as A.8.2.2) hasn’t just been renumbered, it has been modernised to reflect a world dominated by digital assets and automated processing. Let’s look at what has actually changed and how to stay compliant.
Table of contents
The Structural Shift: From A.8.2.2 to A.5.13
In the ISO 27001:2013 version, labelling was a subset of the Asset Management domain. In the 2022 revision, it has been moved to the “Organisational” theme and renumbered as Annex A 5.13.
This reclassification highlights that labelling is a management-led process rather than just a task for the IT department. According to HighTable.io, labelling is the “delivery system” for your security rules. It is the visual or digital signal that tells an employee, “This document cannot be emailed externally,” or tells a system, “This file must be encrypted.”
The Big Change: The Rise of Metadata
The most significant technical change in the 2022 version is the treatment of metadata. While the 2013 version mentioned metadata as a possible technique for labelling, the 2022 version places a much stronger emphasis on it. In fact, many practitioners now view the use of metadata as a core expectation rather than an optional extra.
Metadata allows for “invisible” labelling that travels with the file, no matter where it is stored or sent. This is essential for modern compliance because it enables automation. For example, Data Loss Prevention (DLP) software can read the metadata label of a file and automatically block it from being uploaded to a public cloud site. HighTable.io suggests that if you aren’t leveraging metadata in the 2022 version, you are likely missing out on the most efficient way to prove that your labelling scheme is actually working.
New Guidance on the Risks of Labelling
Interestingly, the 2022 guidance (via ISO 27002:2022) introduces a more nuanced conversation about the risks of over-labelling. While the 2013 version was very focused on making labels “easy to recognise,” the update adds a warning: if you label everything as “Highly Confidential,” you might actually be helping a malicious actor or hacker find your most sensitive data more quickly.
This has led to a shift in strategy. Many organisations are now moving toward “implicit” labelling for low-risk data (where the absence of a label implies it is public or internal) and saving explicit, highly visible labels for truly sensitive information. This reduces “label fatigue” for employees and makes it harder for intruders to scan a directory for “gold” assets.
Integration with Modern Workflows
The 2022 version acknowledges that information exists in more formats than ever before. Your labelling procedures must now clearly cover:
- Physical Assets: Think stickers on backup drives or “Confidential” stamps on paper files.
- Digital Documents: Headers, footers, and watermarks in Word, PDF, or Excel.
- System Streams: How do you “label” data in a database or an API? (Hint: This is where metadata and system-level access controls meet).
- Hardware: Labelling the physical devices that contain classified data.
Key Implementation Steps for the 2022 Standard
To successfully transition your ISMS to meet the Annex A 5.13 requirements, consider these steps:
- Define Your Labelling Rules: Create a clear matrix that shows exactly how each classification level (from A.5.12) should be labelled across different formats.
- Focus on Automation: Use tools like Microsoft Purview or Google Workspace security settings to automatically apply labels based on content.
- Train Your Team: Employees need to know not just how to label, but why it matters. If they don’t understand the consequences of a mislabelled file, they won’t take the time to get it right.
- Include De-facto Rules: To save time, establish a rule that “all data in System X is considered Confidential by default.” This reduces the manual burden on staff.
What the Auditor Will Check
An auditor looking at the 2022 version of your ISMS will go beyond checking your policy documents. They will likely ask to see “live” examples of your labelling in action. They might pick a random file from your SharePoint and ask to see its metadata, or walk through your office to see if physical folders are marked correctly.
The transition from ISO 27001:2013 A.8.2.2 to ISO 27001:2022 Annex A 5.13 represents a move toward a more sophisticated, digital-first approach to security. By embracing metadata and automation, you are building a system that doesn’t just look good on paper but actively protects your data in real-time.