Requirement
Requirement lens
This control asks whether data leakage prevention measures are applied to systems, networks, and devices that process, store, or transmit sensitive information.
“Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.”
Plain-language meaning
The organization should prevent sensitive information from leaving approved locations, systems, networks, or channels without authorization. This requires understanding which information is sensitive, where it is allowed to flow, how transfers are approved, and which flows should be detected or blocked.
Data leakage prevention is not only a DLP tool. A tool can help detect or block leaks, but the real control depends on classification, approved transfer methods, user awareness, exception handling, incident response, and realistic tuning of false positives.
Why this matters
Sensitive data can leak through email, web uploads, cloud storage, messaging apps, removable media, printing, screenshots, backups, file transfers, unmanaged devices, or legitimate business flows using weak channels.
DLP is difficult because the organization must distinguish between unauthorized leakage, approved transfer, and legitimate business need that still violates risk appetite. Without clear rules, DLP alerts become noise or block business unnecessarily.
Implementation guidance
Implementer focus
Start with data flows. A DLP tool cannot be tuned well if the organization does not know what information should move, where it may go, and how it should be authorized.
1. Define sensitive information in scope
Use classification, asset inventory, privacy records, and business requirements to define which information needs DLP controls.
Examples include:
- personal data and special category data;
- payment card data;
- intellectual property;
- source code;
- credentials and secrets;
- regulated records;
- confidential customer or supplier information.
2. Map approved data flows
For each sensitive information type, define:
| Flow area | Practical decision |
|---|---|
| Source | Where information originates |
| Destination | Where it may go |
| Channel | Email, SFTP, portal, cloud storage, API, backup shipment |
| Protection | Encryption, approved platform, DLP rule, logging |
| Authorization | Who approves transfer and under what condition |
| Evidence | Transfer log, approval, DLP event, exception record |
3. Apply DLP controls where risk justifies them
DLP measures may include endpoint DLP, email DLP, web upload controls, cloud app controls, removable media controls, print controls, network DLP, content inspection, classification labels, encryption enforcement, or alert-only monitoring.
4. Tune alerts and false positives
False positives can make DLP unusable. The organization should define how alerts are reviewed, tuned, prioritized, and closed. High-risk data types should not be buried under noisy rules.
5. Train users on approved transfer methods
Users with access to sensitive data should understand what they may transfer, where, how, and with what authorization. They should know how to report suspected leakage.
Audit guidance
Auditor focus
Test whether DLP scope is tied to sensitive information, approved flows are defined, DLP rules match organizational priorities, and alerts are reviewed and acted on.
Auditors should verify:
- sensitive information scope;
- systems, networks, and devices processing sensitive information;
- approved data flow map;
- DLP tool/rule configuration;
- alert examples and prioritization;
- false-positive handling;
- blocked and allowed transfer records;
- transfer approval records;
- user awareness evidence;
- leakage incident handling and escalation.
Interview users who handle sensitive data. They should know approved sharing methods, authorization routes, and what to do if they suspect leakage.
Evidence examples
Evidence quality
Strong evidence proves DLP scope, rules, alerts, approvals, and user behavior align with sensitive information risk.
| Evidence | What it proves |
|---|---|
| Sensitive data inventory | Data in scope is known |
| Approved data flow register | Legitimate flows are defined |
| DLP policy/rule configuration | Controls match data priorities |
| DLP alert records | Leakage events are detected |
| False-positive review records | Rules are tuned and usable |
| Transfer approval records | Sensitive transfers are authorized |
| User awareness records | Users know transfer rules |
| Leakage incident records | Events are escalated and handled |
Strong evidence
- DLP scope is traceable to classified/sensitive information.
- Rules are configured for actual sensitive data flows.
- Alerts are reviewed, prioritized, tuned, and closed.
- Users know approved transfer methods and reporting routes.
- Legitimate transfers have approval evidence.
- Leakage incidents link to incident response where needed.
Weak evidence
- DLP tool is deployed but rules are generic.
- No approved data flow map exists.
- Alerts are ignored due to false positives.
- Users do not know approved sharing channels.
- Sensitive transfers happen by informal email or consumer cloud tools.
- DLP exceptions are unmanaged.
Common failures
Implementation watchouts
A.8.12 fails when DLP is treated as a monitoring product instead of a data-flow governance control.
| Failure | Why it matters |
|---|---|
| Sensitive data scope unclear | DLP rules cannot target the right data |
| No approved flow map | Legitimate and illegitimate transfers are confused |
| Excessive false positives | Alerts become ignored |
| Business flows use weak channels | Authorized transfer still creates leakage risk |
| Users not trained | People bypass controls or use wrong channels |
| Exceptions not managed | Temporary bypass becomes normal practice |
Exam traps
Exam focus
A.8.12 is not just buying DLP software. It requires identifying sensitive information, approved flows, transfer authorization, user awareness, and alert handling.
| Trap | Correct interpretation |
|---|---|
| DLP equals a tool | Tooling supports a broader data-flow control |
| Blocking everything is the goal | Approved business flows still need to operate securely |
| False positives are only a technical issue | They affect control effectiveness and audit evidence |
| Authorized transfer is always acceptable | Channel, encryption, approval, and risk appetite still matter |
| Users do not need to understand DLP | Users must know approved sharing and reporting routes |
Related controls and concepts
- A.8 Technological Controls MOC
- A.8.3 Information Access Restriction
- A.8.10 Information Deletion
- A.8.11 Data Masking
- A.5.12 Classification of Information
- A.5.13 Labelling of Information
- A.5.14 Information Transfer
- A.5.34 Privacy and Protection of PII
- A.6.3 Information Security Awareness Education and Training
- Risk Assessment
- Statement of Applicability
- DLP Scope and Rule Register
- Approved Sensitive Data Flow Register
- DLP Alert Review and Tuning Log
- Sensitive Data Transfer Approval Record
- A.8.12 Audit Evidence Pack
- A.8.12 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.12 prevents sensitive data from leaving through unapproved flows. Strong implementation proves the organization knows sensitive data, defines approved flows, configures DLP rules, manages alerts, authorizes transfers, and trains users.
- Define sensitive information in DLP scope.
- Map approved data flows and transfer methods.
- Configure DLP rules to match risk and classification.
- Review and tune alerts.
- Train users on approved sharing and leakage reporting.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Dlp
- Data leakage
- Audit
Note Metadata
Aliases: A.8.12, Data Leakage Prevention, DLP
Source: 05 Annex A Technological Controls/A.8.12 Data Leakage Prevention.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
12
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.13 - Labelling of Information
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.5.34 - Privacy and Protection of PII
- ISO 27001 A.6.3 - Information Security Awareness, Education and Training
- A.8.12 Audit Evidence Pack
- ISO 27001 A.8.10 - Information Deletion
- ISO 27001 A.8.11 - Data Masking
- ISO 27001 A.8.16 - Monitoring Activities
- ISO 27001 A.8.23 - Web Filtering
- ISO 27001 A.8.24 - Use of Cryptography
- ISO 27001 A.8.3 - Information Access Restriction
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.12 Data Leakage Prevention
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-032 - DLP and Backup
- ISO 27002 Annex A Control Interpretation Map
- A.8.12 Audit Checklist
- Approved Sensitive Data Flow Register
- DLP Alert Review and Tuning Log
- DLP Scope and Rule Register
- Sensitive Data Transfer Approval Record
- Annex A Controls MOC