Skip to main content
Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks Cloud Adoption Agent Azure migration & CAF delivery CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session Helpdesk & SLAs +44 20 8396 0877 · response times by plan All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
organisational Preventive Protect High Priority

A.5.12 Classification of Information

M365 Admin Path: Microsoft Purview compliance portal > Information protection

Evidence Source: Microsoft Purview

What is A.5.12 Classification of Information?

ISO 27001 control A.5.12 Classification of Information ensures the organisation identifies and protects information according to its sensitivity, value, and legal or contractual requirements. The control establishes a formal classification scheme defining protection baselines for different data types from General through Highly Confidential. Microsoft Purview Sensitivity Labels provide the technical infrastructure to assign, communicate, and enforce classification metadata across all information assets.

How to implement A.5.12 in Microsoft 365

Implement A.5.12 by defining and publishing the official

Implement A.5.12 by defining and publishing the official classification scheme via Microsoft Purview Sensitivity Labels with minimum levels of General, Confidential variants, and Highly Confidential variants. Configure labels with associated protections including encryption, access restrictions, and information rights management. Designate asset owners for each classification level responsible for review and maintenance.

Establish bi-annual classification review schedules for sensitive and

Establish bi-annual classification review schedules for sensitive and confidential data owners. Implement an ownership registry linking business data categories to designated owner roles.

Configure DLP policies to detect and enforce handling

Configure DLP policies to detect and enforce handling rules based on classification labels.

What an auditor checks for A.5.12

  • Auditors will verify sensitivity label configuration in Microsoft Purview showing all classification levels are defined.
  • They will review the data classification dashboard showing live inventory of data by sensitivity label.
  • Auditors will examine Content Explorer reports demonstrating data assets have sensitivity labels applied.
  • They will verify the asset ownership register with defined categories, assigned owners, and review schedule.
  • Auditors will check that DLP policies are configured to enforce classification-based handling rules across all M365 workloads.

Evidence we surface for A.5.12

A.5.12 evidence for information classification draws from Microsoft Purview's Content Explorer (showing how content is currently labelled), your ISMS data-asset-owner register, and the asset categorisation. We do not expose individual document samples — only aggregates — but the auditor sees that classification is operating at scale, ownership is assigned, and assets are categorised to the schema your ISMS declares.

See how your organisation scores against A.5.12 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

Client-Side Auto-Labeling Info Gov

Configure automatic labeling recommendations in Office clients

Label-Based Encryption Info Gov

Configure sensitivity labels with encryption protection

Manual Labeling Info Gov

Deploy manual sensitivity labeling to users

Sensitivity Label Taxonomy Info Gov

Define and publish sensitivity label taxonomy with stakeholders

Service-Side Auto-Labeling Info Gov

Configure automatic labeling policies for SharePoint, OneDrive, Exchange

Trainable Classifiers Info Gov

Machine learning classifiers for content classification