ISO 27001 control 8.12 requires organizations to prevent unauthorized access, transmission, or extraction of information. Many companies still don't have a complete understanding of what this means in practice.
What is data leakage?
Data leakage means that information is accessed, transmitted, or extracted by unauthorized persons or systems - both internal and external. This includes:
Insider threats:
- Employees copying customer data to personal devices
- Staff sending trade secrets to competitors
- Personnel taking sensitive information when they leave
- Unintentional sharing of confidential documents
External threats:
- Cybercriminals stealing data through breaches
- Hackers exploiting vulnerabilities to access information
- Malicious software extracting data automatically
- Industrial espionage from competitors
System-related leakage:
- Misconfigured databases exposing information
- Insecure APIs leaking data
- Backup systems without encryption
- Cloud services with inadequate access controls
What does control 8.12 require?
Control 8.12 states that organizations shall apply data leakage prevention measures to systems, networks, and any other devices that process, store, or transmit sensitive information.
This means you must:
- Prevent unauthorized access to sensitive information
- Detect when someone attempts to access or copy protected data
- Block unauthorized transmission of information
- Monitor both internal employees and external systems
- Respond quickly when potential leakages are detected
Technical protection layers
The question that often comes up is "How do we protect ourselves?" and thoughts immediately turn to technical tools. Below we have a list of various tools available to do this. But - read on - it's deeper than that.
Mimecast Incydr, Endpoint Protector, Teramind, and Microsoft Purview are all examples of technical solutions for handling insider threats.
But you also need to protect against external threats and ensure you have control over what your systems can do. Tools like Forcepoint, Zscaler, Netscope, Microsoft Defender, etc., come into scope here.
After that, you might start considering solutions like Symantec Data Loss Prevention or IBM Guardium.
In short - the list of vendors that can deliver technical solutions is long, and exactly what suits you should be based on a risk analysis - not because it's technically impressive.
What you should do before considering system protection
Documentation and governance
Technical solutions must be complemented with:
- Policies defining what is permitted and prohibited
- Procedures for handling sensitive information
- Training on both internal and external threats
- Incident handling when leakages are detected
- Regular risk assessment of new threats
Identify information assets
Map what sensitive information you handle:
- Personal data and GDPR data
- Trade secrets and intellectual property
- Financial information and PCI data
- Technical documentation and source code
Analyze the threat landscape
Understand where threats come from:
- Which employees have access to sensitive data?
- Which external parties can reach your systems?
- What technical vulnerabilities exist?
- What do your data flows look like?
Tip: With AmpliFlow, you can easily document and follow up on all these parts according to ISO 27001 requirements. This is where you conduct governance of the technical solutions.
Implement protection layers
Only now is it time to start thinking about building technical defense in depth:
- Preventive measures: Access control and encryption
- Detective measures: Monitoring and logging
- Responsive measures: Automatic blocking and incident handling
It's also wise to ensure the protection works and make these things a recurring part of how you work with information security:
- Conduct penetration tests
- Simulate insider threat scenarios
- Test incident handling processes
- Validate that legitimate business is not affected
FAQ - Frequently Asked Questions
Must we buy expensive technical solutions to comply with control 8.12?
No, not necessarily. ISO 27001 doesn't require specific technical products. You can implement data leakage prevention through a combination of:
- Policies and procedures that limit how sensitive data may be handled
- Training that teaches employees to identify and avoid risks
- Organizational measures like access control and authorization management
- Existing tools already present in your systems
Example: Instead of buying Google DLP, you can create rules that sensitive data may not be stored in Google Drive, or only allow specific folders with restricted access.
We don't have budget for technical DLP solutions. Will we still pass the audit?
Yes, if you handle the risk correctly. Follow these steps:
- Document the risk - describe what could happen if data leaks
- Calculate cost vs. benefit - show that the DLP investment is greater than the potential damage
- Get management approval - the top executive must formally accept the risk
- Implement alternative measures through policies and procedures
This is called risk acceptance and is completely permitted under ISO 27001.
Is it sufficient with policies and procedures for data leakage prevention?
It depends on your risk profile. Ask yourself:
- What type of sensitive data do you handle?
- How large is the potential damage from leakage?
- What threats do you face (internal vs. external)?
- Are there regulatory requirements (GDPR, patient data laws)?
For many smaller companies, well-written policies combined with training and basic technical measures are sufficient. Larger organizations with highly sensitive data usually need more advanced technical solutions.
How do we document data leakage prevention in AmpliFlow?
Below are non-exhaustive examples (there are of course many ways to do it that suit your specific needs) of how you can solve it by simply documenting using pages in AmpliFlow:
Information classification policy:
- Define what counts as sensitive data
- Rules for handling different information types
- Requirements for labeling and protecting documents
IT security policy:
- Rules for internet use and email
- Permitted communication channels for sensitive data
- Requirements for passwords and access protection
Security procedures for IT department:
- Procedures for network monitoring
- Log review routines
- Incident handling process
Risk register:
- Identified data leakage risks
- Selected measures or risk acceptance
- Follow-up and regular reassessment
What happens if we don't implement control 8.12 at all?
This is not an option. Control 8.12 is mandatory in ISO 27001. You must either:
- Implement the control through technical or organizational measures
- Formally accept the risk with management approval
- Show that the control is not relevant to your business (very uncommon)
Completely ignoring the control will result in failing the audit.
How often must we update our data leakage prevention?
Regularly, at least annually. Check:
- New threats and vulnerabilities that may affect you
- Changes in the business that create new risks
- Updates to regulations that affect requirements
- Effectiveness of existing measures
- New technical possibilities that can improve protection
Document all changes in your management system and ensure employees receive updated training.
Common mistakes
- Only focusing on external threats: Studies show that the majority of data leakages come from insiders
- Forgetting third parties: Suppliers and partners can also pose risks
- Not monitoring privileged users: IT administrators and managers need extra monitoring
- Missing mobile devices: Smartphones often contain as sensitive data as computers
Next steps
- Conduct a threat analysis - identify both internal and external risks
- Map information flows - understand how data moves in the organization
- Prioritize protective measures based on risk and impact
- Document everything in your management system according to ISO 27001 requirements
- Select technical solutions that cover all identified threats
Data leakage prevention according to ISO 27001 requires a holistic approach where you protect against both well-meaning employees who make mistakes and malicious actors who actively try to steal your information.
