All security folks are familiar with ISO 27001. This powerhouse of a standard is the paradigm of information security excellence, designed to help organizations keep data safe, prevent cyber-attacks and manage security threats through the creation of an information security management system.
Beyond just being good for cybersecurity, ISO 27001 is also vital for business growth. Many suppliers, partners and customers require organizations to meet ISO 27001 in order to begin their business relationships.
What is ISO 27001:2022?
Towards the end of the last year, the ISO body shook things up, releasing a new iteration of ISO 27001 with numerous changes, known as ISO 27001:2022. The most notable revision in the new ISO 27001 can be found in Annex A, which points to the updated information security controls released in ISO 27002:2022.
Rather than dividing controls into 14 categories, ISO 27001 sets out security controls under four headline themes: organizational, people, physical and technological.
The number of controls in the document has also decreased, going from 114 to 93. It’s not that there are less controls to implement. Instead, the ISO body has merged numerous controls together, and added 11 new ones, which are:
- Threat intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
Now, before you start panicking, it’s vital to note that ISO 27001:2022 isn’t in action just yet. The body has given organizations a two year transition period to alter their information security management systems, with a deadline of October 31st 2025.
It sounds like a long time, but it’s really only two years. To ensure you’re on the right side of compliance by the due date, you should start acting now.
With that in mind, below, we’ll explore one of the new controls in ISO 27001:2022: the data leakage prevention requirement.
What does ISO 27001 say about data leakage prevention (DLP)?
ISO refers to data leakage prevention as 8.12 in the new documentation. The body sees DLP as a dual-control that is both preventive and detective in nature, designed to stop the loss and theft of PII and PHI. This makes sense. Modern DLP solutions enable organizations to both protect sensitive information from compromise and modification, while also blocking malicious or accidental attempts to edit or download data.
While DLP has long been linked to email, ISO 27001 mandates that organizations implement it across systems, networks and devices that process, store, or transmit sensitive information. So, you’ll need to consider all possible avenues for data loss within your IT infrastructure: USB sticks, employee laptops and, of course, cloud applications.
It’s easy to see why ISO has placed such strong emphasis on DLP in the new ISO 27001. In today’s cloud-first world, data leakage and data theft are prominent issues for companies of all sizes. Data sprawl is also a huge problem, and businesses often have vast amounts of sensitive information spread across different environments.
How can I implement a compliant DLP strategy for ISO 27001?
Meeting ISO 27001’s DLP requirement will take careful consideration and the right tools. You’ll need to put several measures in place, including:
- An access control policy
- A secure document management policy
- A data classification policy
- Monitor potential avenues of data leakage, such as mobile devices, cloud applications and email
- Identify and monitor sensitive data to reduce the risk of sensitive data exposure
- Detect and block unauthorized access and/or usage of sensitive data
While all of this sounds like a tall order, it’s very achievable as long as you have the right solution. That’s where Polymer DLP comes in.
How Polymer DLP helps you meet the requirements of ISO 27001
Under the new iteration of ISO 27001, a solution like Polymer DLP is mandatory if you store, process or transmit PII and PHI. Our solution helps companies effortlessly protect sensitive data across cloud apps like Slack, Teams and Box.
Through the power of natural language processing and automation, Polymer DLP automatically identifies sensitive information in your cloud applications in both structured and unstructured formats.
From there, it monitors your sensitive data 24/7, using contextual authentication factors to protect sensitive information from malicious actors, unlawful access and compromise. Our engine looks at factors such as the user’s identity, the activity being performed, the nature of the data, and the file’s type and location to make a risk-based judgment.
Beyond helping you meet ISO 27001’s DLP requirement, Polymer also helps you meet the following controls:
- A.8.10: Information deletion. Polymer DLP is equipped with automatic deletion technologies, making it simple for your IT team to erase sensitive information that is no longer required.
- A.8.11: Data masking. Polymer DLP enables real-time redaction of sensitive material such as PII, HIPAA-protected health information. It identifies sensitive data in mid-transfer and masks that data, either via encryption or hashing, to prevent unauthorized users from accessing it.
- A.8.16: Monitoring activities. With 24/7 monitoring capabilities, Polymer DLP continuously oversees your sensitive information, empowering you with real-time visibility over where your data is, who’s attempting to access it, and any potential violations that a user has thwarted.
Start your ISO 27001 journey today with Polymer DLP
Get ahead of the requirements of ISO 27001:2022 with Polymer DLP, designed to make compliance easy and autonomous. Plus, with in-depth, automatic reporting capabilities, our tool makes satisfying auditors’ demands simple and stress-free.
Ready to take the first step towards better compliance? Run a fast, free Polymer risk scan to understand your data leakage risks.