Data leak prevention and ISO 27001 compliance

8 min read
Previous post
Next post

Let's start with the basics.

What is data loss prevention?

Data loss prevention (DLP) refers to the tools and processes used by organizations to ensure that sensitive data is not lost, misused, or accessed by unauthorized parties.

Effective DLP protects organizations against costly data breaches by delivering on data protection requirements to ensure compliance. One such requirement is ISO 27001, a standard for information security management systems (ISMS)

Conformity with ISO 27001 means that an organization has put in place a system(s) to manage risks related to the security of data, and that the system in question delivers on best practices outlined in the ISO standard. 

What does ISO 27001 require?

ISO 27001 sets out the specifications for an information security management system (ISMS). In fact, ISO 27001:2022 Annex A 8.12 specifically addresses the need for DLP, underscoring its critical role in safeguarding digital assets.

ISO 27001:2022 Annex A 8.12 defines DLP as the measures applied to systems, networks, and any other devices that process, store, or transmit sensitive information to prevent unauthorized disclosure and extraction.

Implementing effective DLP requires an in-depth understanding of what data must be protected, how to classify it, and the controls necessary to mitigate risks.

The human error factor: DLP and employee mistakes

Recent reports show that a significant aspect of data leaks, over 74% according to Verizon, stems from errors made by employees. Most errors happen when sharing information through email: misaddressed emails, inadvertent sharing of confidential documents, or insufficient security measures can lead to severe data breaches, to name a few. 

Bar-Chart-1200x1200px (1)

*Source: ICO data security trends

Recognizing and mitigating these risks through the use of DLP tools is essential for the overall security posture of an organization and, in effect, compliance with ISO 27001.

What do effective and compliant DLP strategies look like?

To align with ISO 27001:2022 Annex A 8.12, organizations must:

  • Identify and classify sensitive information requiring protection
  • Implement tailored controls based on risk assessments and business needs
  • Ensure continuous monitoring and testing of these controls to ensure sustainable effectiveness
  • Engage in regular internal audits to validate the efficacy and compliance of DLP measures

Email remains the most widely used means of communication within organizations. It is also one of the primary vectors for potential data breaches. After all, when email was initially built over 50 years ago, it was not designed to be secure, meaning there are undeniable vulnerabilities at its core. 

An effective DLP policy will enhance our most relied on communication platform to remedy these vulnerabilities. Forward thinking organizations are combining their DLP strategy to augment the likes of Outlook, M365 and Gmail with additional functionality to improve workflows, and protect data.

In this sense, DLP for email will do three things:

  • Prevent the leading cause of data leaks - human error 
  • Protect messages during and after sending with advanced encryption and MFA
  • Update existing email clients with integrated large file sharing capabilities

Leveraging automation and AI 

Intuitive DLP tools can automatically classify data according to its sensitivity, and apply the appropriate levels of encryption and authentication.

Advanced algorithms scan email content, identifying unusual or sensitive information, such as potentially incorrect recipients in the ‘to’ field, or the presence of personal data. When alerted to such information, employees can take pre-emptive action to correct mistakes, revoke data, or encrypt emails before sending, thereby avoiding a potentially disastrous incident.  

Protecting email from unauthorized access

Requiring recipients to authenticate their identities prior to accessing data is key for compliance. With the addition of MFA controls, users can ensure that even encrypted emails are secure once recieved.

Unlike end-to-end encryption, zero-access encryption ensures that the content of emails and files is stored in such a way that your solution provider can never access the information by itself. Using public-private key encryption, providers hold only the public keys of senders and recipients, used to encrypt the information. The sender and recipient holds their own private key, without the user knowing, either leveraging the organization's Single-Sign-On solution or using the user's password as a secret to be able to derive the private key via a cryptographic key-derivation function. 

DLP to empower IT leaders

Beyond employee activity, DLP solutions provide information security and IT teams with visibility of the way employees are handling sensitive data, and potential areas of concern. For example, if IT teams expect specific teams or individuals to be sharing large quantities of sensitive data (think finance, legal, or HR teams), but can see that emails are being sent unencrypted, action can be taken to deliver additional training, support, and tools.

In addition, in the wake of a data loss event, access to reports on data sent, received, and the levels of encryption used, enables compliance teams to take appropriate action, including limiting and/or containing a breach and reporting the incident to the relevant authorities.

Don’t block; enable

Organizations often falter in achieving top notch DLP by over-restricting access and hindering business operations. Often they expect employees to use different tools for very similar use-cases. For example, when sharing sensitive information, they are faced with customer portals, instant messaging applications, file sharing platforms, and standard email.

We still see instances in which emails are temporarily held and manually checked before sending. Employees face a multitude of pop-ups when attempting to share sensitive information externally, resulting in alert fatigue, or are pressured to triple check emails before sending.

This does little to build a culture of security awareness. Rather, employees are learning how to navigate hoops rather than jumping through them, simply to get on with their days. Simply put, when tools and processes don't meet the needs of people, your DLP strategy is unlikely to be effective.

It's time to learn from these mistakes and develop DLP plans that start with the people handing sensitive data every day. By focusing on the human factor and leveraging DLP tools judiciously, organizations can significantly mitigate the risk of data breaches, thereby ensuring compliance.

We empower over 10,000 organizations globally to meet their data protection requirements by empowering employees to communicate securely, effortlessly. Learn how we can support your business

What next?

How do we take the complex out of compliance? Here's a very quick preview...


First published -
Last updated - 09/04/24
Free demo
Free demo
Free demo

Ready for a deeper dive? So are we.