UnixTime

Research Note

ISO 27001 A.8.12 - Data Leakage Prevention

The organization should prevent sensitive information from leaving approved locations, systems, networks, or channels without authorization. This requires understanding which in...

On this page

Requirement

Requirement lens

This control asks whether data leakage prevention measures are applied to systems, networks, and devices that process, store, or transmit sensitive information.

“Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.”

Plain-language meaning

The organization should prevent sensitive information from leaving approved locations, systems, networks, or channels without authorization. This requires understanding which information is sensitive, where it is allowed to flow, how transfers are approved, and which flows should be detected or blocked.

Data leakage prevention is not only a DLP tool. A tool can help detect or block leaks, but the real control depends on classification, approved transfer methods, user awareness, exception handling, incident response, and realistic tuning of false positives.

Why this matters

Sensitive data can leak through email, web uploads, cloud storage, messaging apps, removable media, printing, screenshots, backups, file transfers, unmanaged devices, or legitimate business flows using weak channels.

DLP is difficult because the organization must distinguish between unauthorized leakage, approved transfer, and legitimate business need that still violates risk appetite. Without clear rules, DLP alerts become noise or block business unnecessarily.

Implementation guidance

Implementer focus

Start with data flows. A DLP tool cannot be tuned well if the organization does not know what information should move, where it may go, and how it should be authorized.

1. Define sensitive information in scope

Use classification, asset inventory, privacy records, and business requirements to define which information needs DLP controls.

Examples include:

  • personal data and special category data;
  • payment card data;
  • intellectual property;
  • source code;
  • credentials and secrets;
  • regulated records;
  • confidential customer or supplier information.

2. Map approved data flows

For each sensitive information type, define:

Flow area Practical decision
Source Where information originates
Destination Where it may go
Channel Email, SFTP, portal, cloud storage, API, backup shipment
Protection Encryption, approved platform, DLP rule, logging
Authorization Who approves transfer and under what condition
Evidence Transfer log, approval, DLP event, exception record

3. Apply DLP controls where risk justifies them

DLP measures may include endpoint DLP, email DLP, web upload controls, cloud app controls, removable media controls, print controls, network DLP, content inspection, classification labels, encryption enforcement, or alert-only monitoring.

4. Tune alerts and false positives

False positives can make DLP unusable. The organization should define how alerts are reviewed, tuned, prioritized, and closed. High-risk data types should not be buried under noisy rules.

5. Train users on approved transfer methods

Users with access to sensitive data should understand what they may transfer, where, how, and with what authorization. They should know how to report suspected leakage.

Audit guidance

Auditor focus

Test whether DLP scope is tied to sensitive information, approved flows are defined, DLP rules match organizational priorities, and alerts are reviewed and acted on.

Auditors should verify:

  • sensitive information scope;
  • systems, networks, and devices processing sensitive information;
  • approved data flow map;
  • DLP tool/rule configuration;
  • alert examples and prioritization;
  • false-positive handling;
  • blocked and allowed transfer records;
  • transfer approval records;
  • user awareness evidence;
  • leakage incident handling and escalation.

Interview users who handle sensitive data. They should know approved sharing methods, authorization routes, and what to do if they suspect leakage.

Evidence examples

Evidence quality

Strong evidence proves DLP scope, rules, alerts, approvals, and user behavior align with sensitive information risk.

Evidence What it proves
Sensitive data inventory Data in scope is known
Approved data flow register Legitimate flows are defined
DLP policy/rule configuration Controls match data priorities
DLP alert records Leakage events are detected
False-positive review records Rules are tuned and usable
Transfer approval records Sensitive transfers are authorized
User awareness records Users know transfer rules
Leakage incident records Events are escalated and handled

Strong evidence

  • DLP scope is traceable to classified/sensitive information.
  • Rules are configured for actual sensitive data flows.
  • Alerts are reviewed, prioritized, tuned, and closed.
  • Users know approved transfer methods and reporting routes.
  • Legitimate transfers have approval evidence.
  • Leakage incidents link to incident response where needed.

Weak evidence

  • DLP tool is deployed but rules are generic.
  • No approved data flow map exists.
  • Alerts are ignored due to false positives.
  • Users do not know approved sharing channels.
  • Sensitive transfers happen by informal email or consumer cloud tools.
  • DLP exceptions are unmanaged.

Common failures

Implementation watchouts

A.8.12 fails when DLP is treated as a monitoring product instead of a data-flow governance control.

Failure Why it matters
Sensitive data scope unclear DLP rules cannot target the right data
No approved flow map Legitimate and illegitimate transfers are confused
Excessive false positives Alerts become ignored
Business flows use weak channels Authorized transfer still creates leakage risk
Users not trained People bypass controls or use wrong channels
Exceptions not managed Temporary bypass becomes normal practice

Exam traps

Exam focus

A.8.12 is not just buying DLP software. It requires identifying sensitive information, approved flows, transfer authorization, user awareness, and alert handling.

Trap Correct interpretation
DLP equals a tool Tooling supports a broader data-flow control
Blocking everything is the goal Approved business flows still need to operate securely
False positives are only a technical issue They affect control effectiveness and audit evidence
Authorized transfer is always acceptable Channel, encryption, approval, and risk appetite still matter
Users do not need to understand DLP Users must know approved sharing and reporting routes

KB-ready summary

Mentor takeaway

A.8.12 prevents sensitive data from leaving through unapproved flows. Strong implementation proves the organization knows sensitive data, defines approved flows, configures DLP rules, manages alerts, authorizes transfers, and trains users.

  • Define sensitive information in DLP scope.
  • Map approved data flows and transfer methods.
  • Configure DLP rules to match risk and classification.
  • Review and tune alerts.
  • Train users on approved sharing and leakage reporting.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Technological controls
  • Dlp
  • Data leakage
  • Audit

Note Metadata

Aliases: A.8.12, Data Leakage Prevention, DLP

Source: 05 Annex A Technological Controls/A.8.12 Data Leakage Prevention.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

12

links

01
02
03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.