What does control A.3.6 require?
An appropriate set of procedures for information labelling that considers PII shall be developed and implemented in accordance with the information classification scheme adopted by the organisation.
This control sits within the shared security controls (Table A.3) and works directly with A.3.5 (Classification). Classification assigns a sensitivity level; labelling makes that level visible to anyone who handles the information.
What does the implementation guidance say?
Annex B (section B.3.6) provides focused guidance:
- Ensure that people under the organisation’s control are aware of the definition of PII and how to recognise information that is PII
- Labelling procedures should cover all formats: digital files, physical documents, emails, databases, storage media and system interfaces
- Labels should be clear, consistent and aligned with the classification scheme defined under A.3.5 Classification of Information
- Where automated labelling tools are used, they should be configured to identify and label PII appropriately
- See also A.3.20: Storage Media for related requirements
- See also A.3.21: Secure Disposal or Re-Use of Equipment for related requirements
The guidance is deliberately concise because the core challenge is not technical but behavioural: people need to know what PII looks like and how to label it correctly. Without this awareness, even the best classification scheme will not be applied consistently.
How does this map to GDPR?
Control A.3.6 maps to GDPR Article 5(1)(f) (integrity and confidentiality). The GDPR does not prescribe specific labelling requirements, but the principle of appropriate technical and organisational measures encompasses making information sensitivity visible so that it can be handled correctly. Labelling supports the practical implementation of data protection by design and by default (Article 25).
How does this relate to ISO 29100 privacy principles?
As a shared security control, A.3.6 supports the broader ISO 29100 framework. Consistent labelling of PII-containing assets is a practical implementation of the information security principle, ensuring that everyone who handles information can identify its sensitivity at a glance and apply the correct handling procedures.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What evidence do auditors expect?
When assessing compliance with A.3.6, auditors will typically look for:
- Labelling procedures — Documented procedures describing how information (including PII) should be labelled across all formats
- Consistency with classification — Evidence that labelling aligns with the classification scheme defined under A.3.5 Classification of Information
- Training and awareness — Evidence that personnel know what PII is, how to recognise it, and how to label it correctly
- Spot checks — Sampled evidence of labelling in practice: documents with correct classification markings, databases with PII flags, emails with sensitivity labels
- Automated labelling — Where tools are used, evidence of configuration and periodic validation that automated labels are accurate
What are the related controls?
| Control | Relationship |
|---|---|
| A.3.5 Classification of information | Labelling implements the classification scheme by making sensitivity levels visible |
| A.3.7 Information transfer | Labels help enforce transfer rules by making it clear which information requires additional safeguards during transfer |
| A.3.3 Policies for information security | Labelling procedures should be referenced in or derived from the information security policy |
| A.3.8 Identity management | Labelled information can be used to enforce access restrictions through identity management systems |
| A.3.4 Roles and responsibilities | Information owners are responsible for ensuring their assets are correctly labelled |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was covered under Clause 6.5.2.2. The substance is unchanged. The 2025 restructure places labelling alongside classification in the shared security controls, reinforcing that the two work as a pair. The implementation guidance in B.3.6 retains the core message: ensure people can recognise PII and know how to label it. See the Annex F correspondence table for the full mapping.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Why choose ISMS.online for information labelling?
ISMS.online helps you implement and maintain consistent labelling across your organisation:
- Asset labelling — Tag every information asset in the register with its classification level and PII status, creating a single source of truth
- Labelling procedure templates — Use pre-built procedure templates that cover digital, physical and email labelling, then customise for your environment
- Training and awareness campaigns — Distribute labelling guidance to all personnel and track who has completed the training
- Compliance checks — Record the results of labelling spot checks and reviews, linking findings to corrective actions where needed
- Integration with classification — Classification levels and labels are managed together, ensuring consistency between what the scheme says and what labels are actually applied
FAQs
What labelling methods are acceptable?
Any method that makes the classification level visible and actionable. For digital documents, this could be header/footer markings, metadata tags, or sensitivity labels in email and collaboration tools (e.g. Microsoft Purview Information Protection). For physical documents, printed classification markings or colour-coded folders work well. For databases and systems, labels can be applied through metadata fields or access control tags.
How do we ensure people recognise PII?
Provide clear definitions and examples in your training materials. PII includes obvious identifiers like names, email addresses and national ID numbers, but also less obvious data that can identify an individual in combination, such as job title, department and location. Use real-world examples from your own systems (anonymised) to help people recognise PII in context. Regular refresher training keeps awareness current.
Should automated labelling replace manual labelling?
Automated labelling tools can significantly improve consistency and reduce the burden on individuals, particularly for email and document labelling. However, they should complement rather than replace human judgement. Automated tools may not correctly identify all PII, especially in unstructured content. A combination of automated default labelling with manual override capability and periodic validation is the most practical approach.
