ISO 27001 Annex A Control 8.12

ISO 27001 control 8.12 Data leakage prevention

The basics

ISO 27001 control A.8.12 Data leakage prevention requires companies to apply measures to prevent and detect unauthorized transmission of data – this is important in order to avoid unauthorized disclosure of sensitive information and, if such incidents happen, to respond to them in a timely manner. This is a completely new control in the 2022 revision of the standard.

Documentation

ISO 27001 control A.8.12 Data leakage prevention can be documented through 3 documents:

Implementation

In order to comply with control A.8.12 Data leakage prevention you might implement the following:

  • Technology — companies can use systems to monitor potential leakage channels, including emails, removable storage devices, mobile devices, etc., and systems that prevent information from leaking – e.g., disabling download to removable storage, email quarantine, restricting copy and paste of data, restricting upload of data to external systems, encryption, etc.
  • Organization/processes — you should set up a process for determining the sensitivity of data, assess the risks of various technologies (e.g., risks of taking photos of sensitive information with a smartphone), monitor channels with the potential of data leakage, and define which technology to use to block the exposure of sensitive data. You can document those processes through an Information Classification Policy, Security Procedures for IT Department or an IT Security Policy.
  • People — make employees aware of what kind of sensitive data is handled in the company and why it is important to prevent leakages, and train them on what is and what isn’t allowed when handling sensitive data.

Audit evidence

During the certification audit, the auditor might look for the following evidence regarding control A.8.12 Data leakage prevention: if data leakage prevention solutions are applied to assets that process, store, or transmit sensitive information.