Prevent Automatic Email Marking by Protective Tools
Protective tools for emails don't automatically add security labels to your messages.
Plain language
This control is about making sure that email security tools don’t automatically add labels to your emails like 'Confidential' or 'Sensitive'. If such labels are added without your knowledge, it could lead to either sensitive information being shared too broadly or normal emails being overly restricted, which can cause confusion and harm communication.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2019
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Protective marking tools do not automatically insert protective markings into emails.
Why it matters
If tools auto-insert protective markings, emails may be over- or under-marked, causing oversharing of sensitive data or unnecessary access restrictions.
Operational notes
Audit email clients/add-ins to confirm no auto protective marking is applied. Disable auto-labelling features and train staff to manually select the correct marking.
Implementation tips
- Managers should ensure that staff understand when and how to manually apply protective labels to emails. Provide clear guidelines during training sessions using simple examples of when certain labels should be used.
- The IT team should configure email tools to prevent automatic insertion of labels. Check the settings in your email management system and disable any features that automatically add protections unless specifically set up to do so.
- The HR department should include policies in the staff handbook about manually labelling sensitive emails. Make sure the handbook is accessible online and staff are aware of how they can find it.
- The Compliance Officer should review current email practices to ensure no automated labelling occurs. Conduct regular checks of sent emails and adjust processes if automatic labelling is detected.
- Trainers should run refresher courses on email security every six months. Use these sessions to remind staff how to classify emails properly without relying on automated tools.
Audit / evidence tips
-
Askthe training materials provided to staff on email labelling
Goodincludes examples across different types of data and straightforward steps for staff to follow
-
Goodshows that all automation features are disabled unless needed for specific, justified use cases
-
Askhow they decide which labels to use and if they know how to disable automatic markings
Goodconsists of staff being able to clearly explain the procedure and confirm awareness of the policy
-
Goodscenario shows the user applying the correct label after considering the content and audience
-
Goodwill show documented instances, recommendations, and actions taken to prevent recurrence
Cross-framework mappings
How ISM-0271 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.13 | ISM-0271 requires that protective marking tools do not automatically insert protective markings into emails, controlling how labels are a... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.12 | ISM-0271 requires that protective marking tools do not automatically insert protective markings into emails, preventing unintended or inc... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.