Apply Protective Markings to Emails Based on Sensitivity
Emails must be marked to show their highest confidentiality level based on content.
Plain language
This control means that any email you send needs to have a label or marking telling how sensitive the information is. It’s important because if an email that includes sensitive data is handled carelessly or falls into the wrong hands, it could lead to data theft, legal issues, or damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Protective markings are applied to emails and reflect the highest sensitivity or classification of the subject, body and attachments.
Why it matters
If emails aren’t marked to the highest sensitivity of subject, body or attachments, staff may mishandle them, leading to unauthorised disclosure, reportable breaches and legal or reputational harm.
Operational notes
Configure email tools to apply protective markings by default, validate markings match the highest sensitivity in the subject/body/attachments, and routinely review samples and train users on correct marking.
Implementation tips
- Managers should create a simple guide to determine sensitivity levels for emails. This guide can list different types of information (like financial data, personal details, or public news) and what marking each type should get. The guide should be clear and easy for all staff to use.
- IT teams should configure email systems to allow for protective markings. This can involve setting up automatic prompts for users to select a sensitivity level when they send an email. These systems should have clear options, like 'Confidential', 'Internal Use Only', and 'Public'.
- Office managers should organise a training session for all staff on how to apply protective markings. In this session, demonstrate the marking process step-by-step and provide examples of common email contents and their appropriate markings.
- IT staff should regularly check that the email marking system works correctly and that users comply with it. This includes ensuring that emails are not sent without a required marking and that the marking options are still clearly visible and functioning.
- HR should include the proper marking of emails as part of the staff's performance reviews. By adding this to regular appraisals, you encourage consistent compliance and enhance protection of sensitive information.
Audit / evidence tips
-
Askthe guideline document on email sensitivity levels
Goodguideline will have clear, easy-to-read instructions and examples
-
Goodfeature will require a marking to be applied before the email can be sent
-
Goodrecord shows most, if not all, relevant staff have completed training with notes that the content was relevant and understood
-
Askthem about how they decide on a sensitivity level for emails
Goodwill include reference to the organisational guidelines and examples from their experience
-
Goodsample will show consistent correct markings corresponding with the stated sensitivity level
Cross-framework mappings
How ISM-0270 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.13 | ISM-0270 requires protective markings to be applied to emails reflecting the highest sensitivity of the subject, body and attachments | |
| link Related (1) expand_less | ||
| Annex A 5.12 | Annex A 5.12 requires information to be classified based on confidentiality, integrity and availability needs and related requirements | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.