Prevent Unauthorised Protective Marking Selection
Ensure users cannot choose classification levels the system cannot handle.
Plain language
This control makes sure that when you or your team use protective marking tools (like setting labels on emails or documents), you can only choose levels that the system is able to handle. It's important because if employees mark something as more secure than your system can actually manage, it can lead to accidental leaks of sensitive information or overlooked security gaps.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2019
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate.
Why it matters
If users can select markings the system isn’t authorised to handle, data may be stored or shared at the wrong classification, increasing risk of compromise.
Operational notes
Configure marking tools to offer only the protective markings the system is authorised to process/store/communicate, and review settings after changes to accreditation.
Implementation tips
- System managers should communicate with IT to understand which protective marking levels your systems can support. They can do this by reviewing system capabilities and matching them against the classification levels used in your organisation.
- IT teams should configure the software settings to only present marking options that your infrastructure can handle. This means accessing the admin settings of your email or document management systems and disabling any classification labels that could exceed your system's processing capability.
- Security officers should create a simple guideline for employees on what each protective marking level means and when to use them correctly. This could be a one-page cheat sheet or an online document that is easy for people to reference.
- Management should regularly train employees on how to correctly use protective markings. Set up a three-monthly workshop or online session where staff can ask questions and get guidance on correct usage.
- Supervisors should periodically review how staff are applying protective markings and provide feedback. They can do this by selecting a random sample of emails or files each month and checking if the applied markings align with company policy.
Audit / evidence tips
- AskThe system capability list: Request a document or spreadsheet detailing which protective marking levels the system can handle GoodWill show a clear match with no unsupported levels included
- AskA screenshot or demonstration of the protective marking options available in your main systems. Ensure there are no unsupported classifications available for users to select GoodSetup will only show options that are within system capabilities
- GoodWill indicate clear accountability and steps taken to review system capabilities before setting options
- AskRecent training documents or recordings that explain protective markings. Check they include descriptions of what markings can be applied and consequences of wrong usage. Good materials will be clear, concise, and reflect current system capabilities
- AskFeedback reports on marking usage: Review any reports or summaries on how employees use protective markings, highlighting any errors or trends
Cross-framework mappings
How ISM-0272 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| Annex A 5.12 | Annex A 5.12 requires organisations to implement information classification policy and practices so information is consistently classifie... | |
| Annex A 5.13 | ISM-0272 requires protective marking tools to prevent users from selecting protective markings that the system is not authorised to proce... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.