ISO 27002:2022 introduces several new information security controls including A8.12 – Data leakage prevention.
This blog takes a brief look at what is required.
Data leakage prevention in ISO 27002:2022
The new control id 8.12 – Data leakage prevention has been added to ISO/IEC 27002:2022 to ensure organisations have measures to detect and prevent the unauthorised disclosure and extraction of information by both individuals or systems.
The control is regarding data leakage prevention measures which should be applied to systems, networks and any other devices that process, store, or transmit information.
How to Evidence A8.12 of ISO 27002:2022
Organisations can evidence control A8.12 in several ways, including:
- applying the organisation’s classification scheme to information,
- having techniques to monitor for data leakage, such as email scanning, file transfers and control of mobile storage devices.
- tools to block user actions that could expose sensitive information for example preventing the copying of information from a database into a spreadsheet, etc.
Implement A8.12 – Data leakage prevention
While it can be difficult to detect data leakage within your organisation, we recommend starting with a detailed risk assessment of the data you handle. This will help you to identify any weaknesses in your current data processing procedures that could lead to an unauthorised disclosure of data.
Although prevention is better than cure, many organisations take an “assumed breach” approach and on that basis you may also consider “seeding” datasets with uniquely identifiable information that you can easily detect via scans of ‘dark web’ or ‘pasted’ data.