Labels applied to documents at source
Demonstrate that information assets are systematically classified with appropriate sensitivity labels at the time of creation or ingress, and that these labels are enforceable throughout the asset lifecycle.
Description
What this control does
This control ensures that classification labels (e.g., Public, Internal, Confidential, Restricted) are assigned to documents, records, and data assets at the point of creation or initial receipt into the organization's custody. Labeling at source prevents ambiguity, ensures consistent handling from inception, and reduces the risk of misclassification during downstream processing. Implementation typically involves integrated classification tools in authoring applications (email clients, document editors, file shares) or metadata tagging workflows that prompt or mandate label selection before saving or transmitting content.
Control objective
What auditing this proves
Demonstrate that information assets are systematically classified with appropriate sensitivity labels at the time of creation or ingress, and that these labels are enforceable throughout the asset lifecycle.
Associated risks
Risks this control addresses
- Unauthorized disclosure of sensitive information due to incorrect or absent classification labels applied retroactively or ad-hoc
- Insiders inadvertently sharing confidential documents via uncontrolled channels because no label was present to trigger data loss prevention controls
- Compliance violations when regulated data (PII, PHI, PCI) is not identified and labeled at creation, bypassing encryption or access restrictions
- Lateral movement by attackers exfiltrating unlabeled assets that evade detection by label-based monitoring and DLP systems
- Inconsistent retention and disposal practices when documents lack provenance labels indicating lifecycle requirements from inception
- Audit trail gaps where classification decisions made post-creation cannot be reliably traced to the originating context or author
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's data classification policy, standards, and procedures governing label assignment at document creation.
- Identify and inventory all systems and applications used for document creation, editing, or ingress (email clients, collaboration platforms, CMS, document management systems, file shares).
- Examine configuration settings and policy enforcement rules in sampled authoring tools to verify mandatory or prompted classification workflows are active.
- Select a stratified sample of recently created documents (emails, spreadsheets, presentations, reports) from the past 30-60 days across multiple business units.
- Inspect metadata and visible labels on sampled documents to confirm presence of classification markings and verify labels match document sensitivity based on content review.
- Interview document creators and information owners to validate understanding of labeling requirements and confirm labels were applied at creation rather than retroactively.
- Test label enforcement by attempting to create and save a new document without assigning a classification label in a controlled environment to verify blocking or warning mechanisms.
- Review audit logs or classification system reports to confirm label assignment events are recorded at document creation time with creator identity and timestamp.
Where this control is tested