Labelling of Information
Create and use clear labels to show how sensitive information is, so it is correctly handled.
Plain language
This control is about putting labels on information to show how sensitive it is. This matters because the labels help people know how to handle the information properly. Without clear labels, sensitive information could be mishandled or exposed, leading to data breaches or privacy violations.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.
Why it matters
Without classification-based labels, staff and systems may apply the wrong handling and sharing rules, increasing the chance of inadvertent disclosure.
Operational notes
Embed classification labels in documents/emails via templates and auto-tagging; ensure labels and handling instructions are updated immediately after reclassification.
Implementation tips
- The IT manager should develop procedures for labelling information based on its sensitivity. They can do this by aligning with the organisation’s classification scheme, making sure each piece of information has a label that corresponds to its confidentiality level.
- The HR department should train employees on how to use and apply these labels. They can conduct workshops to explain the different types of labels and what they mean so that staff members are aware of how to handle information safely.
- The office manager should ensure that both physical and digital documents are labelled appropriately. They can set up a system to use physical labels like rubber stamps for hard copies and metadata tags for electronic files.
- The compliance officer must ensure that exceptions to labelling (like non-confidential information) are documented in the procedures. They should also address special cases where labelling may not be possible and outline alternative safeguards.
- The IT team should ensure that information systems automatically append the right metadata for digital files, making it easier to handle information according to its sensitivity. This includes setting up system rules that apply the correct labels as information is created or modified.
Audit / evidence tips
-
AskAsk for the documented procedure on information labelling.
GoodThe procedure is comprehensive, easy to understand, and covers physical and digital labelling with details on exceptions.
-
AskRequest training records for staff on information labelling.
GoodTraining records show that all staff have participated, and the content covers the procedures thoroughly.
-
AskAsk to see examples of labelled documents, both physical and electronic.
GoodDocuments carry labels that are easy to identify and accurately reflect their sensitivity level.
-
AskRequest information system settings or policies on metadata tagging.
GoodSystems are configured to automatically add appropriate metadata, facilitating correct information management.
-
AskAsk for the records of any incidents related to mislabelled information.
GoodIncidents are rare, and when they occur, they have been promptly addressed with adjustments in procedures or training.
Cross-framework mappings
How Annex A 5.13 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (9) expand_less | ||
| ISM-0201 | ISM-0201 requires very specific physical labelling of TOP SECRET conduits (minimum label size, five-metre intervals, and the marking 'TS ... | |
| ISM-0218 | ISM-0218 requires TOP SECRET fibre-optic fly leads over five metres to be run in a protective, easily inspected pathway and to be clearly... | |
| ISM-0270 | Annex A 5.13 involves implementing procedures for information labelling aligned to the organisation's classification scheme | |
| ISM-0294 | Annex A 5.13 requires the development and implementation of procedures for labelling information in accordance with the organisation's cl... | |
| ISM-0332 | Annex A 5.13 requires procedures for labelling information as per the classification scheme | |
| ISM-0356 | ISM-0356 requires that after sanitisation, SECRET and TOP SECRET non-volatile magnetic media retains its classification and must continue... | |
| ISM-0926 | ISM-0926 mandates a specific labelling/identification convention by prohibiting salmon pink and red for certain sensitivity/classificatio... | |
| ISM-1107 | ISM-1107 requires that Non-classified, OFFICIAL: Sensitive and PROTECTED wall outlet boxes are not coloured salmon pink or red to avoid m... | |
| ISM-1216 | ISM-1216 requires SECRET and TOP SECRET cables that do not use conformant colouring to be banded with the correct colour and labelled at ... | |
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-0271 | ISM-0271 requires that protective marking tools do not automatically insert protective markings into emails, controlling how labels are a... | |
| ISM-0293 | ISM-0293 requires IT equipment to be classified (and practically labelled) according to the highest data sensitivity it can process, stor... | |
| ISM-0296 | ISM-0296 requires an organisation to seek ASD approval before applying any labels to the external surfaces of high assurance IT equipment... | |
| ISM-0378 | Annex A 5.13 requires organisations to develop and implement procedures for information labelling aligned to an information classificatio... | |
| handshake Supports (8) expand_less | ||
| ISM-0208 | ISM-0208 requires maintaining a comprehensive cable register including identifiers, colour, classification/sensitivity, endpoints, locati... | |
| ISM-0240 | ISM-0240 requires organisations to prevent staff from using SMS/MMS/paging/messaging apps to transmit sensitive or classified data | |
| ISM-0272 | ISM-0272 requires protective marking tools to prevent users from selecting protective markings that the system is not authorised to proce... | |
| ISM-0358 | ISM-0358 requires continued SECRET/TOP SECRET handling for sanitised EPROM/EEPROM media, meaning the asset should not be treated as uncla... | |
| ISM-0393 | ISM-0393 requires databases and their contents to be classified based on the sensitivity/classification of the data they contain | |
| ISM-0501 | ISM-0501 requires keyed cryptographic equipment to be transported according to the sensitivity/classification of its keying material | |
| ISM-0589 | ISM-0589 requires MFD usage to be constrained so that scanning/copying does not occur for documents above the network’s classification | |
| ISM-0831 | ISM-0831 requires media to be handled in accordance with its sensitivity or classification to protect information | |
| extension Depends on (3) expand_less | ||
| ISM-0337 | ISM-0337 mandates that media be used only with systems authorised for its classification | |
| ISM-1535 | ISM-1535 requires processes and supporting procedures to prevent AUSTEO, AGAO, and REL data from being exported to unsuitable foreign sys... | |
| ISM-2094 | ISM-2094 requires AI applications to detect and block sensitive data exposure and improper output via content filtering | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.