Information classification and labeling

For this answer, I’m assuming that control A.8.2.2 - Labelling of information, is considered applicable in the Auditee’s Statement of Applicability.

Considering that, please note that this situation needs to be considered in the context of the auditee’s procedures for labeling of information (ISO 27001 Annex A control A.8.2.2 - Labelling of information – requires procedures for information labeling to be developed and implemented).

In case there is a documented procedure for information labeling (the control does not require related procedures to be documented), you need to check what this document defines regarding labeling of information requested for audit. If there is no documented procedure, you need to check additional evidence to understand the common practice (e.g., by interviewing other people to see if they share the same understanding regarding the labeling of information requested for audit).

From this evaluation, you can decide if this situation is a common practice or if there is a failure to fulfill an expected behavior (i.e., a nonconformity).

This article will provide you a further explanation about information labeling:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

These materials will also help you regarding information labeling:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/