ISO27001 requires that you not only classify information (as per A5.12 – Classification of information), but that you tell people about it too.
What does the standard require?
The standard states that “An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organisation.” (A5.13 Labelling of information)
Why is this required?
When you created your classification scheme earlier (A5.12 – Classification of Information), you outlined how information is classified, and how it should be handled. This control is necessary to ensure that people and other interested parties are aware of the classification and understand it.
In short; There’s no point classifying information if you don’t then apply that classification to the information!
What the auditor is looking for
The auditor will be looking for evidence that labels are applied to information in an appropriate way. For example, labels might be physical, such as serial tags and numbers on laptops, or digital, such as header or footer information.
The auditor will be looking for a documented procedure that states how labels will be used, and ensuring that the labelling relates to the classification scheme you selected earlier.
A good way to approach this is to ensure that document templates carry appropriate labelling in their headers or footers (dependent upon your house style). For example all employment contracts should include “Classification: Confidential” in the footer. This way, all future contracts will instantly be labelled, and classified correctly. Those using the contracts should be aware of how to treat confidential information.
You should also speak to your IT team about ensuring that all emails carry appropriate labelling in their footer too. This can be setup relatively easily as a group policy, and ensures that all emails carry some form of label.
It’s important to note that labelling of information can also introduce some level of risk, so be aware of this. This is especially important when considering information transfers (A5.14 Information Transfer). For example, having a file named ‘Highly Confidential – Payroll data’ is likely to attract some attention if this is the label you place on such a file. Therefore care should always be taken when labelling information.
Q & A
How detailed should the label be?
Firstly, it should be in line with your Classification Scheme (A5.12 Classification of information), therefore it doesn’t need to be complicated or detailed at all. As long as the person receiving or handling the information understands what the classification is, and therefore what the label means then that’s perfectly fine. In short; It needs to make sense to you.
Who is responsible for labelling?
In the first instance, you. Because you are the one putting the classification scheme together. Therefore you should work with each function to understand what documents or information they are processing and then apply the appropriate classification (and label) to them. This includes updating employee contracts, supplier agreements, email templates and documents, schematic and other intellectual property.
From that point on, it is the responsibility of the creator of the information to apply an appropriate label to the document, which is again in line with your classification scheme.
Is it possible to get this wrong?
By implementing clear and concise procedures for labelling information, you can’t go far wrong. Used in conjunction with the Classification of information scheme, this is a relatively simple control to implement. As with many of the ISO27001 controls, the only mistake you can make is not to apply it at all.
Difficulty rating
We rate this a 1 out of 5 difficulty rating. This means that it requires little if any technical skill to understand the requirement. You need to relate your labelling to the classification scheme you created, and speak to information owners to understand how best to label informational assets.
More questions?
Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused by how to implement n RBAC process or identify the key roles in your organisation, just get in touch and we’ll be happy to help.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.
Comments