.png)
Classifying, Labeling, Transferring: 3 ISO 27001 Controls That Cannot Be Separated
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript

What is this about (and for whom)?
Are you working towards ISO 27001:2022 certification, or setting up an ISMS to comply with NIS2? Then you'll encounter these three Annex A controls sooner or later:
- A.5.12 Information Classification: you sort your information by sensitivity and value.
- A.5.13 Information Labelling: you visibly mark that information, so everyone knows what they're dealing with.
- A.5.14 Information Transfer: you manage how information securely moves from A to B, internally and externally.
You can only securely transfer information if you know how sensitive it is and if it's correctly labelled. That's why these three controls are interconnected. Organizations that approach them separately make things difficult for themselves.
Why does this affect your organization?
There are three reasons why this matters:
1. Without classification, no one knows what to protect.
Anyone who labels everything as 'Confidential' is asking employees to ignore the system. Without any classification, they treat customer files as public information. Both situations cost money, either through wasted resources or data breaches.
2. Auditors look at this more closely than you think.
We see many organizations relying on a SaaS tool that automatically applies tags. This looks neat for the audit trail, until a lead auditor asks one question: "Why is this document Confidential?" If the employee cannot explain this, the auditor may record an observation. In more than one instance, a minor non-conformity related to A.5.12 might even be issued. A green checkmark in a compliance portal does not prove a secure culture.
3. Data breaches occur at transition points.
A manufacturing company we advised had A.5.12 perfectly in order: all customer files were correctly classified. Yet, a package was leaked. The standard tool for supplier exchange was WeTransfer, without a data processing agreement and without a rule specifying which classification level was allowed via which channel. The tool was not the root cause, but rather the lack of transfer controls. These are not isolated incidents; they are failing chains between A.5.12, A.5.13, and A.5.14.
Here's how to do it: 5 steps
Step 1. Define your classification scheme
Start simple. Three or four levels suffice for most organizations. A common setup:
- Public: freely shareable, no damage upon disclosure
- Internal: for employees, limited damage
- Confidential: sensitive, significant damage
- Strictly Confidential: critical, severe business impact
For each level, describe what it entails and provide examples from your own practice. Store the scheme where your employees work, meaning not in a separate policy PDF, but within your document management system itself.
Step 2. Assign asset owners
Assign one owner per information asset. This person determines the classification level and reviews it periodically. Record these owners in your asset register and link them to A.5.9 (inventory of information) and A.5.10 (acceptable use). Without a designated owner, your ISMS misses the crucial link between asset and behavioral rule, which is exactly what auditors will scrutinize.
Step 3. Define labels and metadata conventions
Labels operate on two levels.
- Digital: for example, metadata tags, sensitivity labels in Microsoft 365 or Google Workspace, watermarks, headers, and footers in documents. For larger environments, a DLP platform like Microsoft Purview, Boldon James, or Symantec can help.
- Physical: for example, stamps, color coding on folders, or marked media.
Automate where possible, but let humans choose where it matters. A sensitivity label applied solely by AI does not provide the same audit evidence as a label consciously assigned by an employee.
Step 4. Establish transfer controls per level
Here, the three controls converge. For each classification level, determine:
- Channels — which ones are allowed? (email, Teams, physical courier, secure data room)
- Encryption — what requirements apply during transport and storage?
- Contracts — which NDAs and data processing agreements need to be ready for transfer to external parties?
- Chain of custody — a system that documents the complete lifecycle, origin, and authenticity of a product or piece of evidence: who received it, when, and where?
- Verbal transfer — what rules apply to calls made from a public space or discussing client files in an open-plan office? (Often overlooked, explicitly part of A.5.14.)
Make these rules concrete. An agreement like "always send to suppliers via Tresorit" is useful. "Send securely where relevant" is not.
Step 5. Train your people and monitor practices
The best rules only work if people understand why they exist. Train on the why, meaning what goes wrong if you do it incorrectly, and not just on the how. Afterwards, conduct monthly spot checks (as part of your operational annual planning) using a random document from your systems. Is the classification correct? Is the label correct? Was it shared via an authorized channel? Document these spot checks. With that logbook, your audit evidence will be in order.
The three most common pitfalls we encounter
In our audit practice, we consistently observe three recurring findings. This is partly because people sometimes have little inclination to label information:
- Blind reliance on automation — the tool applies the tags, and no one checks them.
- Over-classification — marking everything as 'Confidential', which makes the entire classification meaningless.
- Disconnection from the asset register — a classification level that is not centrally recorded anywhere.
None of these three are fatal if discovered internally in time. It only becomes problematic when an external auditor is the first to identify them. To make the process less time-consuming and to apply classification and labeling effectively, you can explore whether it makes sense to classify by system, topic, or department. For instance, you could investigate if documents within HR, or systems like AFAS, can be classified as 'Confidential' by default.
Ready to implement this effectively?
We know exactly how to align A.5.12, A.5.13, and A.5.14 and where the chain breaks. Want to know more?
- Schedule a free, no-obligation consultation
- Or find here more relevant ISO 27001 articles






















