Next named Market Leader and Outperformer in GigaOm DLP Market Radar Report Read the Report
Updated: Apr 20, 2023   |   Tom Cope

What to Know About Changes to ISO 27001: 2022 - Data Loss Prevention

Go back

Security certifications are increasingly important in today’s business environment. Customers want assurances that the information they share with vendors will be kept safe. Business partners are more aware of supply chain weaknesses and no longer accept claims of security practices without evidence. ISO27001 is the “gold standard” cyber security companies look for when building business relationships as a hallmark of good security practices.
 
There are several standards with which organizations can choose to comply. Among the broadest and most respected is ISO 27001. This is the international standard for information security produced by the International Organization for Standardization (ISO); “an independent, non-governmental international organization with a membership of 167 national standards bodies.” 
 
ISO 27001 provides the privacy and security requirements for an organization’s Information Security Management System (ISMS). A companion document, ISO 27002, acts as a “how to” guide to implementing ISO 27001 and provides best-practice guidance on applying the controls listed in Annex A of ISO 27001.

Data Leakage Protection

As one would expect, the standard is updated periodically as technology and the threat landscape evolve. The latest revision, ISO 27001:2022, was released in October and included a new requirement to prevent “data leakage”.  Annex A 8.12: Data leakage prevention states:
 
“Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information.”
 
To be clear, the need to protect sensitive data from unauthorized leakage was always implicit in earlier versions of the standard. Among other requirements, organizations seeking certification needed to classify data, protect information shared through electronic messaging, and protect the confidentiality and security of personally identifiable information. These are all provided by DLP solutions like Reveal.

The newest release now makes the requirement explicit. The Control type lists two requirements to meet certification:

  • #Preventive – This indicates the controls should stop an incident from occurring. In other words, use techniques that will identify attacks in progress, prior to exfiltration of sensitive data.

  • #Detective –  Recognizing that no solution is perfect, this requires organizations to be able to be aware of and investigate any incidents that do occur. 

Annex A 8.12 Guidance

The guidance for data leakage prevention is specific and requires organizations to monitor many exfiltration channels supported by Reveal, including:

  • Email – Real time classification of email attachments, including browser-based email sites.

  • Portable storage devices – Prevents movement of sensitive information to USB devices other than by authorized users to those devices explicitly approved by the organization.

  • SaaS applications – Monitors data as it is used to prevent movement to unauthorized applications, including O365 and Google Workspace

  • Untrusted third-party cloud services – Monitors data as it is used to prevent movement to unauthorized applications including Box, Dropbox, and others.

  • Screenshots and copy/paste of sensitive information – Reveal can clear a clipboard containing sensitive information whether from or to an email, messaging apps, document, spreadsheet, or other format. 

  • Printing – Reveal supports print control and can prevent printing other than by authorized users on authorized devices.

Further, Reveal works in a user-friendly manner. Incident based training allows organizations to train their employees to make the right decisions. On detection of unacceptable behavior, Reveal reinforces corporate security policies. A pop-up will remind the user that the attempted action puts data and risk. It can even require the user to acknowledge the policy or display the policy to promote good cyber hygiene. Security team can easily view all policy violations in a single pane of glass and a human centric approach highlights users with a high risk score to allow for easier prioritization.

How Reveal Works

Reveal uses a lightweight endpoint agent to continuously monitor all endpoints. It uses AI and machine learning to learn how data is used – in real time – on the endpoint as it is used. Agents roll out in five minutes and begin collecting data and enforcing policies immediately.
 
Because the agent is on the endpoint, it detects and mitigates threats on and off the corporate network. It can warn users or halt suspicious activity by isolating devices from the network, locking out user sessions, blocking uploads, and killing processes to protect your organization.
 
If your organization is working to meet the latest ISO 27001:2022 requirements, we can help.

Demo

See how Next protects your employees and prevents data loss