A.8.12 — Data Leakage Prevention

An employee forwards a spreadsheet with 10,000 customer records to their personal email address the week before resigning. A contractor uploads a product roadmap to a personal Dropbox. A developer pastes API credentials into a public Stack Overflow question. A.8.12 requires organizations to detect and prevent these kinds of unauthorized data disclosures.

Data leakage prevention is both a technical and organizational challenge. The control demands that organizations identify sensitive data, monitor the channels through which it could leave and implement measures to block or alert on unauthorized transfers.

What does the standard require?

Classify sensitive data. Identify which data categories require DLP protection based on classification and regulatory requirements.
Map leakage channels. Identify all channels through which sensitive data could leave the organization: email, web uploads, USB, printing, cloud services, messaging.
Implement detection and prevention. Deploy tools and policies that detect, alert on and block unauthorized data transfers.
Restrict high-risk actions. Control clipboard, screen capture, print and export functions for sensitive data where appropriate.
Consider legal requirements. Ensure DLP monitoring complies with privacy laws, employment regulations and works council agreements.

In practice

Deploy endpoint DLP. Monitor and control data transfers on endpoints: USB write operations, clipboard content, screen capture, file uploads to non-approved cloud services. Start in monitoring mode to understand normal patterns before enabling blocking.

Enable email DLP. Scan outbound email for sensitive content patterns (credit card numbers, personal ID numbers, classification labels) and block or quarantine messages that violate policy. Most email platforms (Microsoft 365, Google Workspace) include built-in DLP capabilities.

Monitor cloud application usage. Use a Cloud Access Security Broker (CASB) to detect shadow IT — unauthorized cloud services where employees upload sensitive data. Block unsanctioned services and redirect users to approved alternatives.

Establish an exception process. Legitimate business needs sometimes require transferring sensitive data. Define a formal exception process: request, approval, time-limited allowance, logging. Without this, users will find workarounds.

Typical audit evidence

Auditors typically expect the following evidence for A.8.12:

DLP policy — documented rules for data leakage prevention (see Data Deletion and DLP Policy in the Starter Kit)
DLP tool configuration — rules, channels monitored and actions taken
DLP incident reports — alerts triggered, actions taken, trends over time
Exception records — approved exceptions with justification and time limits
Legal analysis — documentation of compliance with privacy and employment law

KPI

Percentage of data exfiltration channels covered by DLP controls

Measured as a percentage: how many of the identified data leakage channels have active DLP controls? Target: 100% for high-risk channels (email, USB, cloud upload).

Supplementary KPIs:

Number of DLP incidents per month (trend analysis)
Percentage of incidents requiring actual intervention vs. false positives
Number of unsanctioned cloud services detected per quarter

BSI IT-Grundschutz

A.8.12 maps to BSI modules that address data leakage at the endpoint and network level:

SYS.2.1 (General Client) — requirements for controlling data transfer channels on workstations (USB, cloud, printing).
SYS.4.1 (Printers and Multifunction Devices) — preventing sensitive data leakage through print channels.
NET.1.1 (Network Architecture) — network-level controls to prevent unauthorized data exfiltration.

A.5.12 — Classification of Information: Data classification drives DLP policy — you must classify before you can protect.
A.8.11 — Data Masking: Masking reduces the sensitivity of data, complementing DLP.
A.8.22 — Segregation of Networks: Network segmentation limits the channels available for data exfiltration.

Sources

ISO/IEC 27001:2022 Annex A, Control A.8.12 — Data leakage prevention
ISO/IEC 27002:2022 Section 8.12 — Implementation guidance for data leakage prevention
BSI IT-Grundschutz, SYS.2.1 — General Client

Frequently asked questions

Is a DLP tool mandatory under ISO 27001?

ISO 27001 does not mandate specific tools. However, the control requires measures to detect and prevent unauthorized disclosure. For most organizations, achieving this without some form of DLP tooling is impractical.

What are the most common data leakage channels?

Email (attachments and body text), cloud storage uploads, USB drives, screen sharing during video calls, messaging apps and print-to-PDF. Many organizations focus on email but overlook the rest.

How do we balance DLP with employee privacy?

Before deploying DLP, consult your legal counsel and works council. In many jurisdictions, monitoring employee communications requires legal basis, transparency and proportionality. Document your legal analysis and communicate the monitoring to employees.

Responsible	IT Administrator
Accountable	Information Security Officer / (C)ISO
Consulted	Asset Owner, Data Protection Officer, IT Security Officer
Informed	All Employees, Asset Owner, Head of IT, Incident Response Team, Legal Counsel