New ISO 27001: Preventing Data Leakage is Mandatory
In the future, companies that are certified to ISO 27001 or are seeking certification will have to pay close attention to data leakage prevention (DLP).
The 2022 revision of the standard and the supplementary ISO 27002 explicitly require the prevention of data leakage for the first time.
More than 1,600 German companies affected
In Germany, this affects more than 1,600 companies that were certified to ISO 27001 at the end of 2021. If they want to securely retain their certification, they need to take action, because the requirements for information security management systems (ISMS) are increasing with the new version of the standard from last year. Both ISO 27001:2022 and ISO 27002:2022, which describes the ISO 27001 measures listed in Annex A in more detail, now include data leakage prevention (DLP) among the required measures.
DLP prevents the leakage of sensitive information, such as personal data or valuable intellectual property. In Germany in particular, however, the topic is often still neglected because companies underestimate their risk and fear a high outlay. However, at least companies aiming for initial certification or re-certification according to ISO 270001 should now take a close look at DLP.
Introduction often faster than expected
According to the experience of IT security provider Forcepoint, data leak prevention is introduced much faster in practice than companies usually assume. According to Forcepoint, good solutions reliably detect data across all storage locations and classify it largely automatically with the help of AI and machine learning, so that very little manual work is required. They also come with a comprehensive set of predefined policies for handling data that needs protection, according to Forcepoint, and thereby quickly provide basic protection.
However, Forcepoint says DLP solutions don’t just help with the new ISO 27001 point 8.12, which is about data leakage prevention. In fact, companies can also benefit from the solutions when it comes to implementing other measures that they regularly struggle with. These include the classification of information (5.12), information security when using cloud services (5.23) and the deletion of information (8.10). Until now, companies have often lacked an overview of what data they actually have and what storage or deletion periods they are subject to.
“DLP has rarely been implemented in Germany – and when it is, it’s usually done half-heartedly with manual data classifications or rigid policies,” says Frank Limberger, Data & Insider Threat Security Specialist at Forcepoint in Munich. “Yet modern DLP solutions with automated data discovery, automated data classification and predefined policies make implementation comparatively easy. They also use risk identification to adapt their responses to the situation.”