top of page
Search

ISO27001:2022 – A8.12 – Data Leakage Prevention



The purpose of this ISO27001 control is to implement security measures that detect and prevent the unauthorised disclosure and extraction of information by individuals or systems. It will come as no surprise that this new control is necessary in todays digital and data driven world.

 

Preventing data being exposed, or ‘leaked’, is a fundamental aspect of information security and data protection.


 

What does the standard require?

The standard states that “Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information..” (A8.12 – Data Leakage Prevention)

 

Note that this control is specifically interested in systems, network and other devices. Therefore, the control is leaning clearly towards digital information. However, take care to ensure that if your business handles physical information, you apply compensating controls that prevent the leaking of the data.

 

Why is this required?

With the proliferation of digital devices, and the amount of data in use in today's business, the risk of data being unintentionally leaked has grown exponentially. Without implementing appropriate ISO27001 controls and other security measures, you run the risk of having data intentionally or unintentionally taken from you, which can lead to financial and operational losses and issues.

 

We received a call from a company that had discovered their entire customer database had been stolen, and taken to a competitor. How did this happen? A member of their team had downloaded all customer contact details and emailed it to their new employer. We discovered that the employee was already under an investigation, and had spoken of leaving, yet they still had full access to all customer data.  The reputational impact on the company was significant, and they also lost a number of customers to the competitor, who was fully aware of sales margins and profitability of the company.

 

What the auditor is looking for

For this ISO27001 control, the auditor will expect to see;

 

 

What do you need to do?

Develop your data classification scheme so that you understand what data is of critical importance to you and your business. If you haven’t done this already, review ISO27001 Annex A control (A5.12 - Classification of information) to understand what is required.

 

Once you understand what is of critical importance to you, you need to look at this control in terms of technical and operational security measures.  You should discuss the technical controls with your IT team, who can outline the DLP functionality they have available to you. For example, if USB drives are not used or required in your organisation, have you asked your IT team to disable USB drives? Doing so not only reduces risks associated with malware but also prevents data from being exfiltrated by downloading the information to a thumb drive.

 

The IT team will explain what email management controls are in place, which could include controls, such as setting the size of files that employees can email out of the business. Of course, this doesn’t prevent someone sending multiple, smaller files, but it would certainly have been helpful in the example outlined previously.

 

You should consider what can be done in each of these areas as this control addresses systems, networks, and other devices. Ask what monitoring activities are undertaken by your IT team, and look closely at ISO27001 Annex A control (A8.16 - Monitoring Activities) to understand what is being monitored and what happens if an alarm is triggered. For example, would anyone notice if all your data was being exfiltrated at 2am, and being sent to some foreign shores?!

 

Finally, keep in mind that there are other data leak prevention techniques that do not rely on technical means. 

 

Consult your HR function to understand how they handle any disciplinary process.  For example, should someone under investigation have their access to data limited? Review exit processes to ensure leavers are reminded of their obligations to confidentiality and non-disclosure.

 

A key principle to the control is to limit the exposure to data, so consider how you have implemented segregation of duties and access to data. This is covered in ISO27001 Annex A controls (A5.15 - Access Control), (A5.18 - Access Rights) and (A5.3 - Segregation of Duties).

 

Difficulty rating

We rate this a 2 out of 5 difficulty rating. There several technical conversations that need to be undertaken in order to implement this control, but don’t neglect the importance of speaking to HR and informational asset holders.


 

Q&A


Is Data Leak Prevention the same as Data Loss Prevention?

No, there is a subtle but important difference where leakage prevention focuses on preventing unauthorised data transfers, either intentionally or accidentally. However, data loss prevention is the broader discipline, and encompasses all the controls within ISO27001.

 

Do I need a DLP Policy?

No, a policy is not mandatory, and you don’t need a process either. This is because the implementation of a number of ISO27001 Annex A controls shows DLP, as described previously.

 

More questions?

You’ve probably noticed by now that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

 

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.

3 views

Comments


bottom of page