Check Data for Improper Markings Before Export
When exporting data manually, ensure it doesn't have improper protective markings.
Plain language
When you export data from your systems, you need to make sure that it doesn't have any mistakes in the way it's labelled or marked. If the data is wrongly marked as secret or confidential, or not marked when it should be, it could accidentally be shared with the wrong people or not protected as it should be.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
When manually exporting data from systems, the data is checked for unsuitable protective markings.
Why it matters
If exported data is not checked for unsuitable protective markings, sensitive information may be mislabelled and disclosed or mishandled.
Operational notes
Before manual exports, verify each file’s protective marking matches its contents; use a checklist and document checks for auditability.
Implementation tips
- Managers should ensure staff are trained in recognising and applying correct protective markings. Organise training sessions that explain what different protective markings mean and provide examples of how to apply them correctly.
- IT teams should implement a review process for data before it is exported. Establish a step-by-step checklist that includes verifying that all data is appropriately marked according to its sensitivity level.
- Data handlers should perform a visual check of the data labels before export. Use a simple guide alongside the data to compare what markings should appear and rectify any mismatches immediately.
- System owners should utilise software tools that assist in checking data markings. Identify and install data loss prevention (DLP) software that can scan and identify potentially mislabelled data automatically.
- Team leads should create a culture where employees double-check each other’s work related to data exports. Encourage a buddy system where a colleague confirms the accuracy of data markings before export.
Audit / evidence tips
- AskThe training materials related to protective markings. Check that they cover the correct application of these markings and include practical examples. Good evidence includes comprehensive materials that all relevant staff have access to and records of attendance
- AskA sample export checklist GoodChecklist is clear, concise, and includes specific steps for verifying data markings
- AskEvidence of data loss prevention (DLP) software being used GoodSetup shows logs or reports of issues found and resolved
- AskDocumentation of buddy checks or double-checking processes
- AskRecords of data exports
Cross-framework mappings
How ISM-1187 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.12 | ISM-1187 requires that when data is manually exported from systems, it is checked to ensure it does not carry unsuitable protective marki... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.10 | ISM-1187 requires a procedural check during manual export to ensure data does not have unsuitable protective markings | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.