A.5.13 Labelling of Information
What is this control?
ISO 27001 control A.5.13 Labelling of Information ensures information is marked with its classification to support communication, automation, and enforcement of handling requirements. Labelling is the primary mechanism for triggering data governance controls. The control covers electronic labelling via Microsoft Purview mandatory label policies and physical labelling of paper documents and storage media containing confidential data.
How to implement in Microsoft 365
Implement A.5.13 by configuring Microsoft Purview label policy to enforce mandatory labelling with no default label. Publish the classification scheme to all users in Microsoft 365 applications including Outlook, Word, Excel, and Teams. Enable email attachment inheritance to automatically apply a label matching the highest classification in attachments.
Configure DLP policies to recommend labels when Sensitive Information Types are detected. For physical assets, mark paper documents and removable storage containing Confidential or Highly Confidential data with classification labels. Track hardware via Microsoft Intune serial numbers.
What an auditor looks for
Auditors will verify label policy configuration showing mandatory labelling is enabled with no default label. They will review DLP policy configuration showing email inheritance and SIT-based label recommendations are active. Auditors will examine Activity Explorer data demonstrating active user label application.
They will check the compliance scorecard showing label application rates by users. Auditors will verify physical labelling procedures for paper documents and removable storage containing confidential data.
Related controls
M365 capabilities that implement this control
Define and publish sensitivity label taxonomy with stakeholders
Deploy manual sensitivity labeling to users
Sensitivity labels on AI-consumed data, DLP policies for AI-generated content, Copilot governance configuration