ISO 27001:2022 Annex A Control 5.13

General Guidelines on How to Comply With ISO 27001:2022 Annex A 5.13

Using Annex A Control 5.13, organisations can label information in compliance with four specific steps.

Establish a Procedure for Labelling Information

The information classification scheme created per Annex A Control 5.12 should be adhered to by organisations’ Information Labelling Procedures.

5.13 also requires that this Procedure applies to all information assets, whether digital or paper and that the labels must be easily recognisable.

There is no limit to what this Procedure document can contain, but Annex A Control 5.13 requires that the procedures include the following:

• An explanation of the methods for attaching labels to information assets based on the type of storage medium and how the data is accessed.
• For each type of information asset, where the labels should be attached.
• For instance, an organisation may omit publishing public data as part of its information labelling process.
• Technical, legal, or contractual limitations prevent the labelling of certain types of information.
• Rules govern how information should be labelled when transmitted internally or externally.
• Instructions should accompany digital assets on how to insert metadata.
• All assets should be labelled with the same names.

Provide Adequate Training on Labelling Procedures to Employees

Personnel and other relevant stakeholders must understand how to label information correctly and manage labelled information assets before the Procedure for labelling information can be effective.

As a result, organisations should train staff and other relevant parties about the Procedure.

Digital Information Assets Should Be Tagged With Metadata

Digital information assets must be labelled using metadata per 5.13.

Metadata deployment should also facilitate easy identification and searching for information and streamline decision-making between systems related to labelled information.

Extra Precautions Should Be Taken to Label Sensitive Data That May Leave the System

The Annex A 5.13 recommendation focuses on identifying the most appropriate label for outward transfers of critical and sensitive information assets, considering the risks involved.

Annex A 5.13 Supplementary Guidance

For data-sharing operations to be secure, it is essential to accurately identify and label classified information.

Annex A 5.13 also recommends that organisations insert additional metadata points. This is to say, the name of the process that created the information asset and the time at which it was created.

In addition, Annex A 5.13 describes the standard labelling techniques that organisations can use:

• Physical labels
• Headers and footers
• Metadata
• Watermarking
• Rubber-stamps

Lastly, Annex A 5.13 emphasises that labelling information assets as ‘confidential’ and ‘classified’ can have unintended consequences. This may make it easier for malicious actors to discover and find sensitive information assets.

What Are the Changes and Differences From ISO 27001:2013?

ISO 27001:2022 Annex A 5.13 replaces ISO 27001:2013 Annex A 8.2.2 (Labelling of Information).

Both Annex A controls are similar to some extent, but two key differences make the ISO 27001:2022 version more comprehensive.

The Use of Metadata Has Been Required to Meet New Requirements

While the 2013 version referred to metadata as a labelling technique, it did not impose any specific obligations for compliance when using metadata.

In contrast, the 2022 version incorporates differences and changes from ISO 27001:2013.

The Use of Metadata Is Now a Requirement

In 2013, metadata was referred to as a labelling technique, but no specific compliance obligations were imposed.

Contrary to this, the 2022 version includes strict requirements for metadata techniques. For instance, the 2022 version requires the following:

• Adding metadata to information facilitates its identification, management, and discovery.
• It is necessary to insert metadata for the name and date of the process which created the asset.

It Is Necessary to Provide More Details in the Information Labelling Procedure

Information Labelling Procedures in the 2013 version were not required to include the minimum content as in the 2022 version.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

How ISMS.online Helps

Implementing ISO 27001 is easier with our step-by-step checklist, which guides you from defining the scope of your ISMS through risk identification and Annex A control implementation.

Using our platform is intuitive and easy. It’s not just for highly technical employees but everyone in your company. We encourage you to involve your entire workforce in building your ISMS, as that helps you build a truly sustainable system.

Get in touch today to book a demo.