How do you implement A.5.12 in Microsoft 365?

A.5.12 Classification of Information can be implemented in Microsoft 365 using Microsoft Purview compliance portal > Information protection. Contact Global Micro Solutions for a detailed implementation guide.

What does an auditor check for A.5.12?

Auditors verify that A.5.12 Classification of Information is properly implemented by reviewing evidence from your M365 tenant, checking configuration against ISO 27001 requirements, and validating compliance documentation.

ISO 27001 A.5.12: Classification of Information — M365 Implementation Guide | Global Micro Solutions

What is this control?

ISO 27001 control A.5.12 Classification of Information ensures the organisation identifies and protects information according to its sensitivity, value, and legal or contractual requirements. The control establishes a formal classification scheme defining protection baselines for different data types from General through Highly Confidential. Microsoft Purview Sensitivity Labels provide the technical infrastructure to assign, communicate, and enforce classification metadata across all information assets.

How to implement in Microsoft 365

Implement A.5.12 by defining and publishing the official classification scheme via Microsoft Purview Sensitivity Labels with minimum levels of General, Confidential variants, and Highly Confidential variants. Configure labels with associated protections including encryption, access restrictions, and information rights management. Designate asset owners for each classification level responsible for review and maintenance.

Establish bi-annual classification review schedules for sensitive and confidential data owners. Implement an ownership registry linking business data categories to designated owner roles. Configure DLP policies to detect and enforce handling rules based on classification labels.

What an auditor looks for

Auditors will verify sensitivity label configuration in Microsoft Purview showing all classification levels are defined. They will review the data classification dashboard showing live inventory of data by sensitivity label. Auditors will examine Content Explorer reports demonstrating data assets have sensitivity labels applied.

They will verify the asset ownership register with defined categories, assigned owners, and review schedule. Auditors will check that DLP policies are configured to enforce classification-based handling rules across all M365 workloads.

A.5.9
A.5.13

M365 capabilities that implement this control

Define and publish sensitivity label taxonomy with stakeholders

Deploy manual sensitivity labeling to users

Configure sensitivity labels with encryption protection

Configure automatic labeling recommendations in Office clients

Configure automatic labeling policies for SharePoint, OneDrive, Exchange

Machine learning classifiers for content classification

Sensitivity labels on AI-consumed data, DLP policies for AI-generated content, Copilot governance configuration

What is this control?

How to implement in Microsoft 365

What an auditor looks for

Related controls

M365 capabilities that implement this control