Skip to main content
← All controls
A.5.12 / A.8.2 / NIST 800-53 MP-3 / CIS-3.12 ISO/IEC 27001:2022 Annex A

Data classification and labelling

Demonstrate that the organization has implemented a functional data classification scheme with documented categories, that data assets are consistently labelled according to defined criteria, and that labels are enforced through technical and procedural controls.

Description

What this control does

Data classification and labelling is the systematic categorization of organizational data assets based on sensitivity, regulatory requirements, and business impact, combined with the application of persistent metadata labels that travel with the data. Organizations define classification tiers (e.g., Public, Internal, Confidential, Restricted) with handling requirements for each tier, then apply labels manually or automatically using DLP tools, metadata tagging in file systems, or classification software. This control enables appropriate security measures to be applied proportionally, supports regulatory compliance (GDPR, HIPAA, PCI-DSS), and ensures personnel understand handling obligations when accessing information.

Control objective

What auditing this proves

Demonstrate that the organization has implemented a functional data classification scheme with documented categories, that data assets are consistently labelled according to defined criteria, and that labels are enforced through technical and procedural controls.

Associated risks

Risks this control addresses

  • Highly sensitive data is transmitted or stored without encryption because personnel cannot distinguish it from lower-sensitivity information
  • Insider exfiltrates confidential intellectual property or customer data due to absence of visual or technical indicators restricting access or egress
  • Public disclosure of unclassified datasets containing embedded sensitive records that were never identified during collection or aggregation
  • Regulatory non-compliance penalties result from failure to identify and protect personally identifiable information or protected health information subject to data protection laws
  • Overclassification of mundane data creates unnecessary operational friction, excessive costs for storage and encryption, and user workarounds that bypass controls
  • Incident response teams waste critical time during breach investigations trying to determine which compromised datasets require mandatory notification to authorities or affected individuals
  • Third-party vendors receive sensitive data without contractual safeguards because sharing teams cannot identify classification levels requiring enhanced vendor due diligence

Live threat patterns this control mitigates:

HIGH Database Leak / Unauthorised Data Exposure Attacker dumps or sells a customer database. Implies the data store was accessible from the internet, lacked encryption…

Testing procedure

How an auditor verifies this control

  1. Obtain and review the organization's data classification policy, including definitions of each classification tier, assignment criteria, handling requirements, and roles responsible for classification decisions
  2. Request an inventory of systems, databases, file repositories, and cloud storage locations that store business data, and identify which asset owners have completed classification assessments
  3. Select a representative sample of at least 20 data assets spanning structured databases, unstructured file shares, cloud storage buckets, and email repositories across different business units
  4. Inspect each sampled asset for the presence of classification labels using appropriate tools: metadata properties for files, database schema tags, DLP system reports, or cloud resource tags
  5. Interview asset owners or data stewards for three sampled assets to verify they understand classification criteria and can articulate the rationale for assigned classification levels
  6. Review automated classification tool configurations (DLP, CASB, or information protection platforms) to confirm rule sets align with policy definitions and are actively scanning repositories
  7. Test enforcement by attempting to share or export a sample of classified assets through email, cloud sharing, or removable media to confirm technical controls prevent or flag policy violations
  8. Examine access logs or DLP reports for the past 90 days to identify instances where users handled classified data, and verify appropriate warnings, justifications, or approvals were captured
Evidence required Auditor collects the data classification policy document with tier definitions and handling matrices; screenshots of labelled files, database schemas, and cloud resource tags showing classification metadata; configuration exports from DLP, Microsoft Purview, or equivalent classification tools showing active rule sets; access logs or DLP incident reports demonstrating enforcement actions; interview notes with data owners confirming classification rationale; and change management tickets showing label application or remediation activities.
Pass criteria The control passes if the organization maintains a documented classification scheme, at least 85% of sampled data assets display appropriate classification labels consistent with policy criteria, automated classification tools are actively deployed and configured correctly, and technical or procedural enforcement mechanisms demonstrably restrict handling of classified data according to defined requirements.

Where this control is tested

Audit programs including this control

Database Leak / Unauthorised Data Exposure — Audit Program

Attacker dumps or sells a customer database. Implies the data store was accessible from the internet, lacked encryption…

6 controls · v0.1.0