Introduction
The ISO 27001 is one of the most recognized security standards for private sector organizations across the globe and is often required by prospective enterprise customers, helping organizations unlock new business opportunities.
ISO 27001 was recently updated along with its companion guidance standard ISO 27002. The updated title for this standard is ISO/IEC 27001:2022 Information Security, Cybersecurity, and Privacy Protection. This latest version of ISO 27001 will be required after October 31, 2025.
The revisions require new controls for organizations going forward. In this post we’re going to explain the added data leakage prevention requirement (A8.12) by explaining what it is and how you can satisfy it to ensure compliance with ISO 27001:2022.
How does ISO 27001 define data leakage prevention (DLP)?
ISO defines data leakage prevention (8.12) as preventive and detective control that reduces risk through proactive detection and prevention of unauthorized data disclosure.
When does 27001:2022 require DLP?
ISO 27001:2022 will be required after October 31, 2025, and it adds the following new data protection requirements:
- A.8.12: Data leakage prevention. A tool like Nightfall is now required if processing sensitive information (PII, PHI etc.), which is applicable to most businesses. The requirement states that “data leakage prevention measures shall be applied to systems, networks, and any other devices that process, store or transmit sensitive information.” Such as any cloud application used by these businesses.
What additional requirements does Nightfall DLP support?
Nightfall would meet the following requirements of the standard:
- A.8.10: Information deletion. Nightfall’s automated deletion meets this requirement, which states that “information stored on information systems, devices or in any other storage media shall be deleted when no longer required.”
- A.8.11: Data masking. Nightfall’s data masking in protecting data is identified as a specific requirement. The requirement states “data masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.”
- A.8.16: Monitoring activities. Nightfall is a monitoring control that fits within this requirement that states “networks, systems and applications shall be monitored for anomalous behavior and appropriate action taken to evaluate potential information security incidents.”
- A.8.28: Secure coding. Nightfall’s protection of secrets and keys, none of which should ever be disclosed in development, supports this ISO requirement, which states that “secure coding principles shall be applied to software development.”
Conclusion
A cloud-native data loss prevention platform like Nightfall is now the easiest way to ensure compliance with new DLP rules in ISO/IEC 27001:2022. Nightfall integrates with cloud services like Slack, Confluence, Salesforce, Google Drive, and more in order to discover, classify, and protect sensitive data. Setup takes less than 3 minutes and helps ensure you meet the new requirements under ISO/IEC 27001:2022.
To learn more about Nightfall and see the platform in action, watch clips from our demo video library or schedule a call to discuss your use case.