ISO 27001:2022 - Annex A 5.13: Information Labelling

Annex A 5.13 to improve how organisations label their information. Let’s break down Annex A 5.13, we’ll explain why it's important, and show how your organisation can use it effectively.

What is Annex A 5.13?

5.13 focuses on labelling information to ensure it’s identified properly and protected based on its sensitivity. Correct labelling helps prevent unauthorised access and misuse of data.

Why Labelling Information Matters

Clear Identification: Labels clearly show how sensitive information is and how it should be handled, reducing the risk of accidental exposure.

Efficient Management: Labelling makes it easier to manage data, ensuring that information is stored, accessed, and protected correctly.

Regulatory Compliance: Many regulations require certain data to be protected. Labelling helps meet these legal requirements.

Risk Reduction: Properly labelled information is better protected against data breaches and security incidents.

Key Steps for Effective Labelling

Define Labels: Create clear labels that categorise information by sensitivity and handling requirements. Common labels include Public, Internal, Confidential, and Restricted.

Set Procedures: Develop procedures for when and how to apply labels, who is responsible for labelling, and how to maintain labels.

Ensure Consistency: Standardise labels and make sure all employees understand and use them correctly.

Align with Classification: Match your labelling practices with your information classification policy (Annex A 5.12). Each piece of information should have a label that reflects its classification.

Changes from ISO 27001:2013

The 2022 update to ISO 27001 includes several changes to the labelling control previously covered under Annex A 8.2.2 in the 2013 version:

Metadata Requirement: The 2013 version referred to metadata as a labelling technique but did not mandate its use. The 2022 version requires adding metadata to information to facilitate its identification, management, and discovery. This includes metadata for the process name and creation date.

Detailed Labelling Procedures: The 2013 standard did not require specific details in labelling procedures. The 2022 update mandates comprehensive procedures, including methods for attaching labels, rules for labelling during internal and external transmission, and technical or legal constraints on labelling.

Standardised Labels: The 2022 version emphasises using standardised labels across the organisation to ensure consistent application and understanding of labels.

Automation Encouraged: The new standard encourages using automation tools to apply and manage labels, reducing human error and improving efficiency.

Cross-Organizational Consistency: The 2022 update highlights the need for consistent labelling when sharing information between organisations, ensuring that labels remain meaningful and intact.

General Guidelines for Compliance

Establish a Procedure for Labelling Information: Develop a clear procedure that applies to all information assets, whether digital or paper. Make labels easy to recognize and manage.

Train Employees: Ensure all employees understand the labelling procedures and the importance of correctly labelling information.

Tag Digital Information with Metadata: Use metadata to label digital assets, facilitating easy identification and management.

Label Sensitive Data Carefully: Take extra precautions when labelling sensitive data, especially when it may leave your system.

How Harpe can help you implement Annex A 5.13

Harpe is a simple, easy to use tool to make compliance with important standards such as ISO27001 quick and hassle-free. Harpe features guidance for implementing ISO27001 to the updated 2022 standard with everything you need. Our in-app checklist takes you through every step to implement a robust and secure ISMS within the new requirements.

Upload your documents and assign them a classification in line with Annex A 5.13 to keep track of how your information should be handled in your organisation.

Train your employees on your Information Classification policy (and others!) with our training page, complete with annual reminders for re-training.

With constant updates and fast support, there has never been a better time to chase an ISO27001:2022 certification with Harpe.

_{Image Designed by vectorjuice / Freepik}