Label Media with Sensitivity or Classification
Label physical media, except internal hard drives, to show its security level or classification.
Plain language
This control is about labelling physical media, like USB drives and DVDs, with information on how sensitive the data they contain is. It's important because if media isn't properly labelled, it could lead to accidental data leaks or breaches, as people might not handle it with the required level of care.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Media, with the exception of internally mounted fixed media within information technology equipment, is labelled with protective markings reflecting its sensitivity or classification.
Why it matters
Unlabelled removable media may be mishandled or shared without appropriate protective markings, increasing the likelihood of unauthorised disclosure of classified or sensitive data.
Operational notes
Check removable media and external drives have protective markings matching current sensitivity/classification, and relabel when content changes; exclude internally mounted fixed media.
Implementation tips
- Office managers should ensure that a process is in place for labelling all physical media. This includes setting up a system where any external drives or tapes are clearly marked with a label indicating their level of sensitivity or classification. You can use colour-coded stickers or printed labels for clarity.
- IT teams should provide guidance on what the different sensitivity labels mean. They can organise a brief training session to explain the classification categories to all employees and how they should handle media based on its label.
- Procurement staff should purchase label-making equipment or software. This could include a printer and label sheets specifically designed for this purpose. Ensure the labels are durable and will not fall off easily.
- All staff members who handle sensitive information should regularly check that labels on media are intact and readable. This can be included as a step in procedures whenever media is accessed or used.
- Compliance officers should routinely audit labelled media to ensure the correct labelling practice is followed. They can set reminders for periodic checks and document any discrepancies they find.
Audit / evidence tips
- AskThe organisation's labelling policy or procedure document: Request to see the document outlining how media should be labelled GoodWill show a comprehensive, easy-to-follow guideline that aligns with the control's requirements
- GoodIs when all media observed is accurately and clearly labelled as per the guidelines
- AskThem about the process they follow to label media GoodIs when staff can correctly describe the labelling process and its importance
- GoodShows an ongoing commitment to maintaining correct labelling practices
- AskTo see training materials or records: Request the materials or logs used for staff training on media labelling GoodIncludes a schedule of training sessions and attendance records
Cross-framework mappings
How ISM-0332 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.13 | ISM-0332 requires organisations to label physical media (excluding internally mounted fixed media) with protective markings that reflect ... | |
| link Related (1) expand_less | ||
| Annex A 5.12 | Annex A 5.12 requires information to be classified according to organisational security needs (confidentiality, integrity, availability) ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.