The latest revision of the ISO 27001 security standard (ISO 27001:2022) was announced in 2022. To ensure the standard keeps pace with modern cybersecurity challenges, the ISO implemented a number of new controls and updates around information security, cybersecurity, and privacy. This specifies 11 new controls, including (A.8.12) Data Leakage Prevention – otherwise known as Data Loss Prevention (DLP).
Organizations have until October 31, 2025, to adopt the new requirements into their Information Security Management Systems (ISMS).
The need to protect data from loss was always implied by ISO 2700, but the latest revision goes further to make it an explicit information security requirement with an entirely new control.
Annex A 8:12 (ISO 27001:2022)
“Data Leakage Prevention measures should be applied to systems, networks, and other devices that process, store or transmit sensitive information.”
Note, this new control is directly derived from ISO 27002:2022, where further guidance and best practices can be found.
What is the purpose of Annex A 8:12 Data Leakage Prevention?
Data loss continues to be a significant challenge for organizations; particularly in the handling of sensitive data and personal data types such as Personal Identifiable Information (PII) and Personal Healthcare Information (PHI). In many cases, this type of data is protected by regulations such as GDPR and HIPAA, where data breaches can result in substantial penalties and operational disruption.
How is data lost?
While external hacks make the headlines, the reality is that the vast majority of data leaks occur because of employee misuse. These are known as insider threats – with employees either accidentally sharing data with unauthorized stakeholders, or maliciously exfiltrating it. In a world of hybrid working, it’s also the employee endpoint that has become the critical threat vector – with data commonly lost through email, messaging apps such as Slack and Microsoft Teams, being uploaded to third-party cloud resources through a browser, or simply being printed or transferred to removable storage devices.
Which Data Loss Prevention tools can I apply to protect my data?
Security frameworks such as ISO 27001:2022 rarely define an exact technology type to meet the control’s data security requirements. This allows the organization to implement a solution based on its own set of circumstances. However, it can be assumed that the most likely technology type available for meeting 8.12 Data Leakage Prevention is a DLP solution such as Endpoint Protector by CoSoSys.
DLP solution definition
- DLP solutions provide a set of tools to deliver data protection by detecting and preventing the unauthorized sharing and exfiltration of sensitive data and personal data.
- Deployment types can vary depending on the existing security controls required and may include SaaS and on-premise options.
- Effective DLP solutions should not disrupt employee productivity/business continuity.
- In addition to real-time blocking, a DLP solution will allow security administrators to perform risk assessments, monitoring activities, and analysis of information security incidents.
- Scanning data-at-rest on employee endpoints is also a key consideration, allowing security administrators to perform information deletion to mitigate future data exfiltration attempts.
Will a CASB/Cloud DLP meet my ISO 27001:2002 requirements?
No, not on its own. While your data may reside in cloud services, cloud-to-cloud exfiltration is rare. In fact, 70% of data loss incidents originate on the employee endpoint; often being shared via email, messaging apps, or copied to removable storage.
Annex A 8:12 Data Leakage Prevention gives specific provisions for preventative measures to also be applied to devices (endpoints). A Cloud Access Security Broker (CASB) or Secure Access Service Edge (SASE) deployment will have no visibility of endpoint exfiltration attempts, and certainly not when the endpoint is offline. Only an endpoint DLP solution will be able to achieve this and deliver the necessary data protection required by the ISMS. Therefore it’s likely that organizations will need a combination of DLP strategies, or select the DLP approach that best meets their particular use case and vulnerabilities. In most cases, this will need to include an endpoint-based approach.
Does Endpoint Protector meet the requirements for ISO 27001:2022
Endpoint Protector’s Active Data Defense solution comprises Device Control and Content Aware Protection features to help an organization build DLP policies to block the accidental or malicious exfiltration of personal data and sensitive data, including all types of PII, PHI, HIPAA, and PCI data. It can also be configured to protect custom data (confidential company information) and even Intellectual property such as source code.
Because it’s endpoint-based. Endpoint Protector is able to apply these security policies to all key exit points; including hardware devices (e.g., USB drives, external HDDs, Bluetooth-connected devices, printers, and more) and through software applications (e.g., email, Slack, Microsoft Teams, file uploads to the cloud, etc.).
Endpoint Protector policies and security controls remain active even if the endpoint is offline, and can cover Windows, macOS, and Linux devices, for consistent information security across deployed endpoints.
Summary
ISO 27001:2002 will mean that, for the first time, organizations looking to achieve accreditation will be required to adopt a DLP strategy. Given its breadth, no one solution will fulfill all ISO 27001:2002 requirements. Instead, organizations should look to combine multiple technologies, and processes, to meet their stated goals. This includes understanding which DLP deployment method will be most effective in preventing the exfiltration of data.
Organizations should also look to understand the sensitivity of the information to be processed, stored, or transmitted, and should conduct a thorough risk assessment and evaluation of DLP solutions to ensure it meets their unique compliance needs. Organizations are solely responsible for determining the appropriateness of using a DLP solution provider to achieve their ISO 27001:2002 certification, contractual requirements, and other regulatory needs.
ISO 27001 is also known as ISO/IEC 27001. For the purposes of this post, the former is used.
Download our free ebook on
GDPR compliance
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.