---

Purpose of Information Labelling

Labelling is the operational bridge between a classification scheme that exists on paper and one that actually changes how staff and systems handle information.

So, we’ve defined the classification scheme under control 5.12, and now we have to make sure information is labelled according to that classification. In honesty, I’ve overlapped both controls, and I’m sure you can see why – you really cannot have one without the other.

Without labels, you have a policy nobody can act on; Without data classification, everyone is making up their labels and rules as they go.

The control exists to ensure that:

• Staff can tell at a glance (possibly the first thing they see) how sensitive a piece of information is, and know how to handle it without having to remember or look up the scheme
• Information protection systems (encryption, DLP, access control, retention) can make automated decisions based on the label rather than guessing
• Information retains its classification when it moves between people, departments, and systems
• Auditors and regulators can verify that the classification scheme is in actual use

5.13 is one of the most directly visible controls in your ISMS: when an auditor opens a document, the label is the first thing they see.

What Should Be in a Labelling Procedure

You don’t need a separate labelling procedure; you could do it or include it in the classification policy. It doesn’t need to be long. It just needs to answer six key questions clearly:

Labelling Techniques by Format

Different information formats need different labelling approaches. A working procedure should cover each format your business uses. Here are some key examples for formats and approaches you can use:

Format	Labelling Technique	Notes
Office documents (Word, Excel, Powerpoint, etc)	Physical label on the device showing the classification of the most sensitive data it carries	Sensitivity labels are preferable because they’re machine-readable and travel with the file. Header/footer is the fallback.
PDFs	Header text on every page; metadata fields	PDFs created by export should inherit the source document’s classification automatically where the tooling supports it.
Emails	Subject line tag or banner; sensitivity label	Be deliberate about external visibility. A “Confidential” prefix in the subject line broadcasts sensitivity to any recipient.
SharePoint sites, Teams, Slack	Sensitivity label applied at the container level	Containers inherit the classification of the most sensitive information they’re approved to hold.
Databases and SaaS systems	System-level classification rather than per-record	The system carries the label; exports must apply the appropriate label to the data leaving the system.
Paper records	Header text on documents; cover sheets for files; physical stickers or stamps for archival material	The fact that it’s paper doesn’t make it less important; many breaches still involve printed documents.
Removable media	If the media holds Confidential data, treat the device as Confidential even when it contains less sensitive content.	If the media holds Confidential data, treat the device as Confidential even when it carries less sensitive content too.
Third-party systems and SaaS	Configuration of the platform’s classification capability, or contractual obligation on the supplier	Some platforms can’t be configured for your scheme; for those, document the residual risk and treatment.

Email labelling needs careful thought. Confidential markings in subject lines, banners, or attachments can reach external recipients, thereby broadcasting their sensitivity. Use sensitivity labels that apply protection (encryption, access restrictions) rather than visible markings where external transmission is likely.

Labelling At A System Level

I wouldn’t recommend trying to label everything individually. You don’t have to.

It’s quite legitimate to classify/label at the system level for digital systems that hold many records (CRM, finance, HR), label at the system level and rely on export procedures when data leaves.

I would suggest that the place to do this is in your asset register created under control 5.9. There, you would identify all your information assets, for example, your HR data, residing on the HR application, and you could note there that HR data is classified as confidential, and that’s the labelling part. You still have to ensure people are aware of the label you’ve given to it, but it ticks the box quickly and sensibly. You could even have a table in your information security policy or classification scheme that summarises the different information assets and their classifications.

Most SMEs don’t need to buy additional tooling for this; they need to configure what they already have. The first 30 minutes of admin console work is usually the highest-yield labelling effort an SME can make.

I covered the practical guidance for rolling out sensitivity labels in more detail under Control 5.12, particularly around mandatory labelling and the order of changes. The same approach applies here.

A Note on Metadata

A note on metadata. Where you’re using Microsoft 365 sensitivity labels or Google Drive Labels, you’re already applying metadata-based labelling, whether you call it that or not. The label travels with the file as structured data, which is what enables DLP systems, retention policies, and conditional access to read the classification and act on it. The standard doesn’t mandate metadata specifically, but for any business relying on automated information protection, label-based metadata is generally easier than trying to make security tools read header text. For paper records and removable media, traditional visible labelling remains appropriate.

The Visibility Paradox

Visible labels are useful precisely because they’re visible: staff see the classification without having to think about it. But visibility cuts both ways. A document marked “Confidential” tells the legitimate reader to handle it carefully; it also tells an attacker which documents are worth stealing.

For most businesses, the trade-off favours visible labelling because the internal handling benefit substantially outweighs the targeting risk. But three situations are worth being deliberate about:

• External-facing documents. Documents shared with customers, suppliers, or regulators should generally not carry your internal classification markers. Either remove the label before sharing or use a classification specifically for external use.
• Email subject lines and banners. A “Confidential” prefix on an external email broadcasts sensitivity in ways that can be picked up by anyone who sees a notification, an out-of-office reply, or a Slack/Teams notification.
• Document filenames. A file named “Confidential – 2026 Pricing Strategy.docx” tells anyone who can see the filename (including IT admins, anyone with directory listing access, anyone receiving an attachment) what’s inside without needing to open it.

The pragmatic fix isn’t to avoid labelling; it’s to design the labelling to provide the internal handling signal without unnecessarily exposing sensitivity externally.

Embedding Labelling Through Tooling

The most reliable way to make labelling stick is to bake it into the tools staff already use. For most SMEs, that means Microsoft 365 or Google Workspace; the labelling capability is already paid for if you’re on Business Premium or Workspace Business Standard.

For Microsoft 365 users

Sensitivity Labels (via Purview Information Protection) let you:

• Apply labels to Word, Excel, PowerPoint, Outlook, SharePoint, and Teams from one consistent interface
• Make labelling mandatory before users can save a document or send an email
• Trigger protections (encryption, external sharing restrictions, watermarks) automatically when a label is applied
• Cover containers (Teams channels, SharePoint sites) as well as individual documents

For Google Workspace users

Sensitivity Labels offer the equivalent:

• Apply labels to Docs, Sheets, Slides, PDFs, and Gmail messages
• Auto-apply default classifications based on shared drive or user group
• Tie DLP rules to labels (preventing external sharing of Confidential content, for example)

Here are two guides that help you set it up, and give more context on the Google environment, but I have to admit, this isn’t my ecosystem, so I’m leaning on external resources.

https://knowledge.workspace.google.com/admin/security/get-started-as-a-classification-labels-admin

https://discuss.google.dev/t/improving-the-security-posture-of-your-google-workspace-environment-data-classification/163955

---

What Auditors Will Look For

The auditor checks three things on 5.13:

• A documented labelling procedure that maps to your classification scheme under 5.12. The two documents should agree on the classification names and the handling rules they trigger.
• Evidence that the procedure is being followed. Sample documents, emails, and system outputs across different teams and information types. The auditor will pick at random; consistency across the sample is what they want to see.
• Coverage of all relevant formats. Electronic, email, physical, removable media, third-party systems. A procedure that only addresses Word documents while the business runs on SaaS leaves obvious gaps.

In practice, auditors test this by asking staff to show them how they’d create or share a piece of Confidential information, and whether they’d know what to label it. The most common audit finding for this control is a published procedure that’s not used.

---

Common Issues I Find

Labelling tends to falter not because organisations lack a procedure, but because the procedure doesn’t withstand the rigours of day-to-day work. It’s too heavy, bureaucratic, and not enforced.

Here’s what I commonly see:

• The procedure covers documents but not emails. Most information flows through email these days; if the labelling procedure is silent on email, the bulk of the information landscape is unlabelled. The fix is usually to enable sensitivity labels in Outlook or Gmail and add them to the procedure.
• No procedure for third-party systems. Information stored in SaaS tools (project management, support, marketing automation) often isn’t covered by the labelling procedure at all. Even if you can’t apply technical labels in those systems, the procedure should at least state what classification applies and who’s accountable.
• Public information labelled by accident. Marketing collateral, website content, and published documents are being marked “Internal” or “Confidential” because the template defaults to that. Worth defining what to do for content that’s deliberately public and making it easy to remove or skip the label there.

---

Rapid Self-Check

Reading about labelling is one thing, but knowing whether yours is actually working is another.

So, here’s a quick five minute run through these questions against your own setup. If you can answer “yes” to most of them, your labelling is working. Anything you answer “no” or “not sure” to is a gap worth closing.

• Open the last five documents you created – Are they labelled consistently, with the same wording, position, and format? .
• Send yourself a test email – Does a sensitivity label option appear in Outlook or Gmail?
• Open your asset register – Does it record the classification of each information asset, or just the asset itself? System-level labelling lives here, so if it’s blank, the system-level part of your scheme isn’t in place.
• Pick one SaaS tool your business uses heavily. Has anyone documented the classification of the data it holds, and what label applies to anything exported from it?
• Look at the last document you shared externally. Does it still carry an internal classification label that shouldn’t be there? If your “Confidential” footer is now sitting in a customer’s email folder, that’s a visibility paradox in action.

None of these are ‘gotcha’ questions designed to trip you up. They’re the same checks an auditor or internal reviewer would run when sampling your labelling in practice. The point is to surface gaps you can fix today, rather than discovering them when someone external is looking.

Example Labelling Procedure

To make the six questions above concrete, here’s what those answers might look like for a typical smaller SaaS company using Microsoft 365.

What’s being labelled
All information assets within the scope of our ISMS: Office documents, PDFs, emails, SharePoint sites, Teams channels, paper records held in the Bolton office, removable media issued to staff, and information held in our CRM (Salesforce), HR system (BambooHR), and finance system (Xero).

Classification levels per the Information Classification Scheme: Public, Internal, Confidential.

Where labelling is omitted
Public information does not require an explicit label; the absence of a label indicates Public by default.

Marketing collateral, website content, and published documents are explicitly excluded from internal labelling to avoid accidental “Confidential” markers on customer-facing materials.

System-generated exports from Salesforce, BambooHR, and Xero inherit the system’s default classification (Confidential) and do not require per-record labelling.

Who applies the label
The information owner at the point of creation.

For new documents, the template applies the default label (Internal); the author adjusts to Confidential where the content warrants it.

For email, the sender applies the appropriate sensitivity label before sending. For exported data, the person performing the export applies the appropriate label to the resulting file. Owners are identified in the asset register under Control 5.9.

What the label looks like
For Office documents and PDFs: Microsoft 365 Sensitivity Label applied via the ribbon, displaying as a footer banner reading the classification name in the document.

For emails: Sensitivity Label applied via Outlook, displaying as a banner at the top of the message.

For paper records: header text on each page, plus a cover sheet for files held in archival storage.

For removable media: a physical sticker on the device showing the classification of the most sensitive content carried.

How the label is applied technically
Microsoft 365 Sensitivity Labels are configured in Purview Information Protection, with mandatory enforcement enabled. The default label for new documents is Internal.

Labels trigger protections automatically: Confidential documents are encrypted and restricted to internal sharing by default; Internal documents are restricted to authenticated company accounts.

Paper labels applied manually by the document owner; physical media labels applied by IT at the point of issue.

What happens when the label can’t be applied
For systems that don’t support per-record labelling (Salesforce, BambooHR, Xero), the system carries the classification at the system level, and the asset register records this. Any data exported from these systems must have the appropriate label applied to the export file by the person exporting.

When the export tool doesn’t support sensitivity labels (e.g., CSV export), the file is renamed to include the classification in the filename, and a header row is added to the data.

---

How Control 5.13 Links to Other Clauses and Controls

Labelling is one of the most directly connected controls in the ISMS because the label triggers most downstream handling decisions.

• Annex A 5.9 – Inventory of information and associated assets: The owners identified under 5.9 are typically the people who apply labels at the point of creation.
• Annex A 5.10 – Acceptable use of information and other associated assets: Acceptable use rules differ by classification, which is read from the label. The AUP and the labelling procedure should reinforce each other.
• Annex A 5.12 – Classification of information: The upstream control. 5.13 has nothing to operate on without 5.12.
• Annex A 5.14 – Information transfer: Transfer rules differ by classification and are typically enforced by reading the label or sensitivity tag on the information being transferred.
• Annex A 5.15 – Access control: Access decisions are often driven by classification, which is read from the label.
• Annex A 7.10 – Storage media: The labelling on removable media (physical or otherwise) carries the classification through transport and storage.
• Annex A 8.12 – Data leakage prevention: DLP rules typically match on classification labels or metadata. Without labels, the DLP system has nothing to match on.
• Annex A 8.24 – Use of cryptography: Encryption requirements differ by classification, typically enforced through the sensitivity label.

---

FAQs

Conclusion

Labelling is the discipline that makes classification real. Without it, your scheme is a policy document; with it, you have visible signals that accompany every piece of information and automatically trigger the right handling.

For most SMEs, the pragmatic approach is straightforward: align labels with the classifications you’ve defined under 5.12, use the sensitivity-label capability in 365 or Workspace rather than building bespoke tooling, define the exceptions explicitly so staff aren’t paralysed by edge cases, and test the procedure by sampling real documents rather than admiring it in a policy library.

If you’d like a ready-made Information Labelling Procedure template alongside the wider ISMS documents, the Iseo Blue ISO 27001 Toolkit includes both. Or if you’d rather talk through how to right-size labelling for your specific business, the free 30-minute consultation is genuinely free and genuinely 30 minutes.

---