1. Framework FAQs

ISO 27001: 2022 A.8.12 Data leakage prevention

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.12 Data leakage prevention.

ISO 27001: 2022 Control Description

Data leakage prevention measures shall be applied to systems, net works and any other devices that process, store or transmit sensitive information.

Purpose

To detect and prevent unauthorised disclosure and extraction of sensitive information by individuals or systems.

Guidance on implementation

To minimise the risk of data leakage, organisations should consider the following:

  1. Identify and Classify Sensitive Information:
    • Determine which information needs protection, such as personal data, pricing models, and product designs.
  2. Monitor Potential Leakage Channels:
    • Keep an eye on communication methods that could be used to leak data, like emails, file transfers, mobile devices, and portable storage devices.
  3. Preventive Actions:
    • Implement measures to stop information from leaking, such as quarantining emails that contain sensitive data.

Using Data Leakage Prevention Tools

Data leakage prevention (DLP) tools are essential for:

  1. Identifying and Monitoring:
    • Track sensitive information that is at risk of unauthorised disclosure, especially unstructured data on users’ systems.
  2. Detecting Data Disclosure:
    • Spot when sensitive information is being sent to untrusted third-party cloud services, shared via email, or uploaded to external locations.
  3. Blocking Risky Actions:
    • Prevent actions that could expose sensitive information, such as copying database entries into spreadsheets or transferring data to unauthorised storage devices.

Restricting Data Movement

  • Control Data Copying and Uploading:
    • Assess whether it’s necessary to limit users’ ability to copy, paste, or upload data to external services, devices, or storage media. If so, use DLP tools or configure existing tools to allow users to work with data remotely but prevent it from being copied or transferred outside the organisation's control.
  • Approving Data Exports:
    • Require data owners to approve any data exports, holding users accountable for their actions.
  • Managing Screenshots and Photos:
    • Address the risks of screenshots or photos being taken of sensitive data through terms of use, training, and regular audits.

Protecting Backups

When backing up data, ensure that sensitive information is safeguarded with measures such as encryption, access controls, and physical protection of the storage media.

Countering Adversarial Actions

Consider data leakage prevention as a defence against adversarial intelligence activities that seek to obtain confidential or secret information. Techniques like replacing real information with false data or using honeypots to attract attackers can be effective. These measures can mislead adversaries, protecting valuable information.

Legal Considerations

Implementing data leakage prevention often involves monitoring employee communications and online activities, as well as external communications. This can raise legal issues, so it's important to consider relevant legislation on privacy, data protection, employment, and data interception before deploying DLP tools.

Supporting Security Controls

Data leakage prevention can be strengthened by standard security controls, such as policies on access control and secure document management.