Skip to content
AuditFront
A.8.12 ISO 27001

ISO 27001 A.8.12: Data leakage prevention

What This Control Requires

Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.

In Plain Language

Someone emails a spreadsheet of customer data to their personal Gmail. A developer uploads source code to a public repo. An employee copies the client database to a USB stick on their last day. These are the scenarios DLP is designed to catch, and this control - new in ISO 27001:2022 - makes it an explicit requirement. DLP covers both malicious insiders stealing data intentionally and well-meaning employees who accidentally send the wrong attachment or upload a file to the wrong place. You need to protect data in use (on endpoints), data in motion (crossing the network), and data at rest (sitting in storage). The tricky part is getting the balance right. DLP that is too aggressive blocks legitimate work and people find workarounds. DLP that is too loose misses real incidents. Good data classification is the foundation - you cannot protect what you have not identified.

How to Implement

Build your DLP strategy around your data classification scheme. Identify which data categories need DLP protection, map the most likely leakage channels, and define what happens when a policy triggers - alert, block, or quarantine. Deploy DLP across all three domains. For data in motion: set up email DLP to scan outgoing messages and attachments for sensitive content. Configure web DLP to monitor uploads to cloud services, file sharing sites, and social media. Deploy network DLP to inspect outbound traffic for sensitive data patterns. Consider SSL inspection for encrypted channels where legally appropriate. For data in use: deploy endpoint DLP to monitor USB copying, printing, screen capture, and clipboard activity. Configure application-level restrictions on data export and sharing. Use information rights management (IRM) to enforce usage controls on classified documents. For data at rest: scan file servers, databases, and cloud storage to find sensitive data in places it should not be. Flag over-shared files and excessive permissions. Identify data sitting in locations without adequate protection. Write DLP policies that specify what to protect, what triggers alerts versus blocks, and how to handle exceptions. Start in monitoring mode. Seriously - run in monitor-only for a few weeks to understand your data flows and tune out false positives before you start blocking anything. Common policies include: blocking external email of credit card data, alerting on bulk downloads, restricting USB transfers of classified documents, and preventing uploads to unauthorised cloud services. Set up proper incident management for DLP alerts. Define who reviews them, how investigations work, and what actions follow. Separate accidental violations (which need user education) from potential data theft (which needs formal investigation). Report DLP metrics to management regularly.

Evidence Your Auditor Will Request

  • DLP strategy and policy documentation
  • DLP tool deployment records covering email, web, endpoint, and storage
  • DLP policy configuration and rule definitions
  • DLP incident reports and response actions
  • DLP metrics and trend reports presented to management

Common Mistakes

  • No DLP technology deployed despite handling sensitive data
  • DLP policies are too broad creating excessive false positives and alert fatigue
  • DLP only covers one channel (e.g., email) while other channels are unmonitored
  • DLP incidents are not investigated or followed up
  • DLP is deployed but users find workarounds that are not addressed

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 CC6.7 Related
GDPR Art.32 Related
GDPR Art.5(1)(f) Related
NIS2 Art.21(2)(d) Partial overlap

Frequently Asked Questions

Is this control new in ISO 27001:2022?
Yes, one of the 11 new controls. Data exfiltration - both intentional and accidental - was a growing risk that the 2013 version did not address explicitly. The 2022 revision makes it clear that organisations handling sensitive data need structured DLP measures, not just good intentions.
How do we reduce DLP false positives?
Start in monitoring mode to learn what normal data flows look like before you enable blocking. Use precise detection patterns rather than broad matching. Build contextual rules that consider sender, recipient, and data volume, not just content. Allow user-based exceptions with justification tracking for legitimate business needs. Review and refine rules regularly based on false positive analysis. Machine learning-based DLP tools are getting much better at telling real incidents from noise.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment