What the auditor wants to verify
Audit objective
Verify that DLP measures are applied to systems, networks, and devices that process, store, or transmit sensitive information.
Evidence to request
| Evidence | Purpose |
|---|---|
| Sensitive data inventory | Shows DLP scope is known |
| Approved data flow register | Shows legitimate flows are defined |
| DLP policy/rule configuration | Shows controls match priorities |
| DLP alert records | Shows events are detected |
| False-positive review records | Shows tuning and triage |
| Transfer approval records | Shows sensitive transfers are authorized |
| User awareness records | Shows users know transfer rules |
| Leakage incident records | Shows events are escalated and handled |
Strong evidence
- DLP scope maps to sensitive/classified information.
- Approved data flows and channels are defined.
- DLP rules are tuned to the organization’s risk and data types.
- Alerts are reviewed, prioritized, tuned, and closed.
- Sensitive transfers have approval records.
- Users can explain approved sharing methods and reporting steps.
Weak evidence
- DLP tool exists but rules are generic.
- No approved data flow map exists.
- Alerts are ignored due to false positives.
- Sensitive transfers happen through informal channels.
- Exceptions are unmanaged.
Sample interview questions
- What sensitive information is protected by DLP?
- Which channels are approved for sensitive transfer?
- What do you do if you need to send sensitive information externally?
- What happens when a DLP alert is triggered?
- How are false positives handled?
Common nonconformities
- DLP scope not linked to sensitive information.
- No approved data flow register.
- DLP alerts not reviewed.
- Users unaware of approved transfer methods.
- Business flows use unencrypted or unapproved channels.
Related notes
- Audit
- Evidence
- A8 12
- Iso27001
Note Metadata
Aliases: A.8.12 Evidence
Source: 04 Audit Evidence Packs/A.8.12 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Audit Evidence MOC
- ISO 27001 A.8.12 - Data Leakage Prevention
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.12 Data Leakage Prevention
- A.8.12 Audit Checklist
- Approved Sensitive Data Flow Register
- DLP Alert Review and Tuning Log
- DLP Scope and Rule Register
- Sensitive Data Transfer Approval Record
- Audit Evidence Index