Labelling of Information is a procedure that enables organisations to put their information classification scheme into practice by attaching classification labels to relevant information assets.
Control 5.13 addresses how organisations should develop, implement and manage a robust information labelling procedure based on the classification scheme adopted through Control 5.12.
5.13 is a preventive control that protects information assets against security risks by helping organisations achieve two distinct purposes:
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Information Protection | #Defence #Protection |
Considering that adding metadata to digital assets is the primary way of labelling information assets, metadata stewards shall be accountable for proper implementation of labelling procedure.
Alongside the metadata stewards, asset owners with access and modification authorisations shall be accountable for proper labelling of all data assets and shall make necessary modifications to labelling if needed.
Control 5.13 identifies four specific steps that organisations should implement to carry out labelling of information in compliance with 5.13.
Organisations should develop an organisation-wide Information Labelling Procedure that adheres to the information classification scheme created in accordance with Control 5.12.
Furthermore, 5.13 requires that this Procedure be extended to all information assets, regardless of whether it is in digital or paper format and that the labels must be easy to recognise.
While there is no limit to what this Procedure document can contain, the Control 5.13 states that the Procedures should at least include the following:
The Procedure for labelling of Information can be effective only to the extent that Personnel and other relevant stakeholders are well-informed about how to correctly label information and how to deal with labelled information assets.
Therefore, organisations should provide staff and other relevant parties with training on the Procedure.
5.13 requires the use of metadata for labelling of digital information assets.
Furthermore, it notes that the metadata should be deployed in a way that makes it easy and efficient to identify and search for information and also in a way that streamlines the decision-making process between systems related to labelled information.
Considering the risks involved in outward transfer of sensitive data from systems, 5.13 recommends organisations to label these information assets with those most appropriate to the level of criticality and sensitivity of the information concerned.
The 5.13 highlights that Identification and accurate labelling of classified information is vital to security of data sharing operations.
In addition to the four specific steps described above, 5.13 also recommends that organisations insert additional metadata points such as the name of the process that created the information asset and the time of such creation.
Furthermore, the 5.13 refers to the common labelling techniques that organisations can implement:
Lastly, the 5.13 emphasises that labelling information assets as ‘confidential’ and ‘classified’ can have unintended consequences because it may make it easier for malicious actors to search through and find sensitive information assets.
27002:2022/5.13 replaces 27002:2013/8.2.2 (Labelling of Information).
While the two controls are similar to some extent, there are two key differences which makes the 2022 version more comprehensive.
Whereas the 2013 version referred to metadata as a labelling technique, it did not impose any specific obligations for compliance when using metadata.
In contrast, the 2022 version brings strict requirements on how to use metadata technique. To illustrate, the 2022 version requires that:
Contrary to the 2022 version, the 2013 version did not specify the minimum content that should be included in a Information Labelling Procedure.
ISO 27002 implementation is simpler with our step-by-step checklist that guides you through the whole process, from defining the scope of your ISMS through risk identification and control implementation.
Our platform is intuitive and easy-to-use. It’s not just for highly technical people; it’s for everyone in your organisation. We encourage you to involve staff at all levels of your business in the process of building your ISMS, because that helps you to build a truly sustainable system.
Get in touch today to book a demo.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
