System Guides

A.5.13 Labelling of Information would include:

1. Labelling Policy: A documented policy that outlines the organization's approach to labelling information based on its classification level.

2. Labelling Standards: Clear standards and guidelines for creating and applying labels to different types of information assets, specifying the format, content, and placement of labels.

3. Labelling Procedures: Detailed procedures that explain how to create, apply, and remove labels from various information assets.

4. Examples of Labels: Examples of labels that indicate the classification level of information (e.g., Public, Confidential, Secret) along with any other relevant labels, such as handling instructions or access restrictions.

5. Employee Training Records: Documentation demonstrating that employees and relevant stakeholders have received training on how to properly apply labels to information assets.

6. Automated Labelling Tools: Information about any automated tools or software used to assist in applying labels to documents, emails, files, and other information assets.

7. Review and Approval: Records of how labels are reviewed and approved by appropriate authorities within the organization to ensure consistency and accuracy.

8. Access Controls and Labelling: Documentation showing how labelling is integrated with access controls to ensure that only authorized personnel can access information based on its classification.

9. Monitoring and Enforcement: Evidence of mechanisms in place to monitor the correct application of labels and enforce appropriate handling and protection measures.

10. Auditing and Accountability: Records of audits or checks conducted to verify that labels are correctly applied and that access controls and handling procedures align with the labelled classification.

11. Management Oversight: Evidence of management oversight and approval of labelling policies, procedures, and any changes made to labelling standards.

By reviewing these pieces of evidence, an auditor can determine whether the organization has established effective practices for labelling information according to its classification level. This helps maintain consistency, facilitate proper handling, and enable appropriate access controls based on the sensitivity of the information.