DAT-002 Information Labelling
Description
Information assets are labelled in accordance with the data classification scheme. Labels are applied to documents, data stores, outputs and transmissions so that recipients can identify the classification and apply appropriate handling controls.
Rationale
Labelling makes classification actionable at the point of use. Without visible labels, handling rules cannot be enforced consistently across teams and systems.
Framework Mappings (3)
| DSP-04 | Data Classification | partial |
| 5.13 | Labelling of information | full |
| AC-16 | Security and Privacy Attributes | partial |
Evidence (2)
System or tooling configuration demonstrating that automated classification labels are applied to data assets and documents at creation or ingestion.
Example: Microsoft Purview / Google Workspace DLP configuration screenshot or export showing auto-labelling rules applied to internal document libraries and shared drives
Test: Query the classification tooling configuration (e.g. Purview sensitivity label policies, Google Workspace DLP rules). Verify: (1) labelling policies are enabled and active, (2) rules cover the sensitivity tiers defined in the classification policy, (3) auto-labelling is applied to the primary document repositories in use, (4) policy was last reviewed within 12 months.
Sample output from a classification or DLP tool showing labelled documents or data records, confirming labels are visibly applied.
Example: Export from Microsoft Purview Content Explorer or equivalent showing a sample of 20+ documents with their applied sensitivity labels and label origin (manual vs. auto-applied)
Test: Run a content scan or export from the classification tool. Verify: (1) at least one asset per sensitivity tier is present in the sample, (2) labels match the defined taxonomy in the classification policy, (3) no high-volume data stores show entirely unlabelled assets.
Questions (2)
Are information assets labelled in accordance with the data classification scheme so that recipients can identify the classification at the point of use?
Labels should be visible on documents, data stores, outputs and transmissions. Automated labelling via DLP or sensitivity label tooling (e.g. Microsoft Purview, Google Workspace) is preferred over purely manual labelling.
Which asset types have classification labels actively applied?
A mature labelling programme covers all major asset types. At minimum, documents, emails and data exports should be labelled. Gaps in cloud storage or database labelling should be noted.