ISO 27001:2022 Annex A Control 5.13

Following on from Annex A Control 5.12’s classification of information instructions, ISO 27001:2022 Annex A Control 5.13 covers a set of procedures for information labelling.

The control outlines how information must be organised and identifiable. Labels must be made easy to recognise and manage, in order to mitigate the risk that they may not be followed. Organisations should develop, implement, and manage a comprehensive information labelling procedure.

What is the purpose of Annex A Control 5.13?

Through annex 5.13, information assets can be classified in a straightforward way, and this classification system should be communicated both internally and externally, so that employees and third parties can access and use information.

Automation can be used to help with information processing and management. Annex 5.13 also focuses on protecting information against security risks.

Assets can be labelled by adding metadata, meaning metadata stewards should be accountable for implementing the labelling process.

Complying with ISO 27001:2022 Annex A Control 5.13

There are four steps involved in labelling information in order to comply with the guidelines presented in 5.13:

Establish a labelling procedure for information

The classification scheme created through annex 5.12 should be adhered to by an organisation’s information labelling procedures. 5.13 states that this procedure must be applied to all information assets, including paper and digital.

Labels must be easy to recognise. Control 5.13 requires that procedures include the following:

• Explanation of the methods of attaching labels to assets based on the type of storage medium and how data is accessed.
• Instructions on where to attach labels for each type of information asset. Organisations may omit publishing public data as part of its labelling process.
• Outline any technical, legal, or contractual limitations that prevent the labelling of certain types of information.

• Clear rules relating to the internal and external transmission of assets.
• Instructions should be included on how to insert metadata.
• All assets should be labelled with the same naming structure.

Provide employees with training relating to labelling process

Personnel and relevant stakeholders must understand how to correctly label information and manage assets in order for the procedure to be effective. To ensure this, organisations should train staff and other relevant parties on how the procedure works.

Tag digital information assets with metadata

5.13 outlines that digital information must be labelled using metadata. The deployment of said metadata should facilitate easy identification and searching for information, and streamline decision making between labelled information systems.

Additional precautions for the labelling of sensitive data

Organisations must identify the most appropriate label for outward transfers of sensitive and critical information assets, making sure they consider all the potential risks involved.

For data sharing to be secure, accurate identification and labelling of classified information is essential. 5.13 emphasises that labelling information assets as confidential or classified can make it easier for malicious threat actors to discover sensitive information.

What are the changes from ISO27001:2013?

ISO27001:2022 Annex A Control 5.13 has been created to replace 2013’s Annex A Control 8.2.2, which also dealt with the labelling of information.

Both controls are similar in many ways. However, there are two key differences. The use of metadata is now required to meet the new requirements. While the 2013 listed metadata as a labelling technique, there was no obligation to utilise it. There are also now strict requirements for metadata techniques. Adding metadata to information must facilitate its management, discovery, and identification. It is necessary to insert metadata for the name and data of the process.