ISO 27001:2022 Annex A Control 5.13

Labelling of Information

Book a demo

group,of,happy,coworkers,discussing,in,conference,room

Organisations apply classification labels to relevant information assets to implement their information classification scheme.

Following the organisation’s adopted information classification scheme, ISO 27001:2022 Annex A 5.13 defines a set of procedures for information labelling.

In addition to identifying physical and electronic assets, procedures for identifying information will need to be developed that reflect the classification scheme described in 5.12.

Making labels easy to recognise and manage; otherwise, they will not be followed. Rather than getting staff to label every CRM update with a commercial in-confidence statement, it might be easier to decide de-facto that everything in the digital systems is confidential unless otherwise expressly labelled!

Using the classification scheme adopted in Annex A Control 5.12, Annex A Control 5.13 details how organisations should develop, implement, and manage a robust information labelling procedure.

What Is The Purpose of ISO 27001:2022 Annex A 5.13?

The purpose of Annex A 5.13 is two-fold; to protect information assets against security risks:

  • Information assets can be classified in a straightforward manner when they are communicated internally and externally. This is when employees and third parties can access and use the information.

  • Information processing and management can be streamlined through automation.

Who Has Ownership of Annex A 5.13?

Information assets can be labelled by adding metadata, so metadata stewards must be accountable for properly implementing the labelling process.

All data assets must be appropriately labelled, and asset owners must make any modifications to labelling with access and modification authorisations.

Jump to Topic

General Guidelines on How to Comply With ISO 27001:2022 Annex A 5.13

Using Annex A Control 5.13, organisations can label information in compliance with four specific steps.

Establish a Procedure for Labelling Information

The information classification scheme created per Annex A Control 5.12 should be adhered to by organisations’ Information Labelling Procedures.

5.13 also requires that this Procedure applies to all information assets, whether digital or paper and that the labels must be easily recognisable.

There is no limit to what this Procedure document can contain, but Annex A Control 5.13 requires that the procedures include the following:

  • An explanation of the methods for attaching labels to information assets based on the type of storage medium and how the data is accessed.

  • For each type of information asset, where the labels should be attached.

  • For instance, an organisation may omit publishing public data as part of its information labelling process.

  • Technical, legal, or contractual limitations prevent the labelling of certain types of information.

  • Rules govern how information should be labelled when transmitted internally or externally.

  • Instructions should accompany digital assets on how to insert metadata.

  • All assets should be labelled with the same names.

Provide Adequate Training on Labelling Procedures to Employees

Personnel and other relevant stakeholders must understand how to label information correctly and manage labelled information assets before the Procedure for labelling information can be effective.

As a result, organisations should train staff and other relevant parties about the Procedure.

Digital Information Assets Should Be Tagged With Metadata

Digital information assets must be labelled using metadata per 5.13.

Metadata deployment should also facilitate easy identification and searching for information and streamline decision-making between systems related to labelled information.

Extra Precautions Should Be Taken to Label Sensitive Data That May Leave the System

The Annex A 5.13 recommendation focuses on identifying the most appropriate label for outward transfers of critical and sensitive information assets, considering the risks involved.

Annex A 5.13 Supplementary Guidance

For data-sharing operations to be secure, it is essential to accurately identify and label classified information.

Annex A 5.13 also recommends that organisations insert additional metadata points. This is to say, the name of the process that created the information asset and the time at which it was created.

In addition, Annex A 5.13 describes the standard labelling techniques that organisations can use:

  • Physical labels

  • Headers and footers

  • Metadata

  • Watermarking

  • Rubber-stamps

Lastly, Annex A 5.13 emphasises that labelling information assets as ‘confidential’ and ‘classified’ can have unintended consequences. This may make it easier for malicious actors to discover and find sensitive information assets.

What Are the Changes and Differences From ISO 27001:2013?

ISO 27001:2022 Annex A 5.13 replaces ISO 27001:2013 Annex A 8.2.2 (Labelling of Information).

Both Annex A controls are similar to some extent, but two key differences make the ISO 27001:2022 version more comprehensive.

The Use of Metadata Has Been Required to Meet New Requirements

While the 2013 version referred to metadata as a labelling technique, it did not impose any specific obligations for compliance when using metadata.

In contrast, the 2022 version incorporates differences and changes from ISO 27001:2013.

The Use of Metadata Is Now a Requirement

In 2013, metadata was referred to as a labelling technique, but no specific compliance obligations were imposed.

Contrary to this, the 2022 version includes strict requirements for metadata techniques. For instance, the 2022 version requires the following:

  • Adding metadata to information facilitates its identification, management, and discovery.

  • It is necessary to insert metadata for the name and date of the process which created the asset.

It Is Necessary to Provide More Details in the Information Labelling Procedure

Information Labelling Procedures in the 2013 version were not required to include the minimum content as in the 2022 version.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2		Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1		Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2		Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3		Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3		Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2		Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3		Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6		Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2		Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3		Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5		Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3		Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3		Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6		Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
 Annex A 11.2.5		Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8		User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3		Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3		Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2		Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2		Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3		Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9		Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6		Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4		Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How ISMS.online Helps

Implementing ISO 27001 is easier with our step-by-step checklist, which guides you from defining the scope of your ISMS through risk identification and Annex A control implementation.

Using our platform is intuitive and easy. It’s not just for highly technical employees but everyone in your company. We encourage you to involve your entire workforce in building your ISMS, as that helps you build a truly sustainable system.

Get in touch today to book a demo.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Explore ISMS.online's platform with a self-guided tour - Start Now