Annex A 8.12 verified ISO/IEC 27001:2022
Data Leakage Prevention Measures
Implement measures to stop sensitive data from being leaked or stolen from your systems.
record_voice_over
Plain language
Data leakage prevention is about making sure sensitive information doesn't slip out of an organisation's control and into the wrong hands. This matters because if your private data leaks, it could lead to financial losses, legal troubles, or damage to your reputation. It's like locking the door when you leave your house to keep burglars out, ensuring your data stays safe and sound.
01 - Overview
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 May 2026
Maturity levels
N/A
Official control statement
Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.
verified ISO/IEC 27001:2022 Annex A 8.12
priority_high
Why it matters
Without DLP controls, sensitive data may be exfiltrated via email, web uploads or removable media, causing financial loss, reputational damage and regulatory penalties.
settings
Operational notes
Regularly tune DLP policies for email, endpoints and cloud apps; validate alerts, review false positives, and ensure incidents are triaged and remediated promptly.
02 - Implement
build
Implementation tips
- The IT manager should identify and label sensitive information across systems and networks. This means going through all digital files to figure out which data is important, like customer details or product secrets, and marking them so that everyone knows they need extra protection. Use tools to scan and classify data automatically, and follow privacy rules set by OAIC and the Privacy Act 1988.
- The security team should set up and maintain data leakage prevention tools. These tools work by watching data as it moves through your systems and stopping it from being sent to places it shouldn't go, like an unknown cloud service. They should configure these tools to automatically alert and block transfers of sensitive data unless it is authorised.
- HR should include data protection responsibilities in employee training programs. This training should help staff understand why protecting data is crucial and what risky actions, like using personal emails for work, they should avoid. Regular workshops and online courses can keep this knowledge fresh, paired with organisation policies around data use.
- The compliance officer should review and update the data protection policies regularly. This ensures that the policies align with current regulations, like the Australian Signals Directorate's Essential Eight, and reflect any changes in business operations or technology use. Regular policy audits are necessary to confirm effective application.
- The finance manager should ensure that budgets allow for necessary technology and training updates. Investing in the latest data protection tools and skills is essential for effective data leakage prevention, helping to manage risks more effectively. Consider the costs of potential data breaches when planning budgets to justify these expenses.
03 - Audit
fact_check
Audit / evidence tips
- AskRequest to see records of the data classification process. GoodShows a comprehensive inventory of sensitive data with clear classification criteria and regular updates.
- AskRequest logs from the data leakage prevention tools. GoodLogs demonstrate the tools are detecting and preventing potential leaks and include follow-up actions.
- AskAsk for the training materials used for employee awareness on data protection. GoodMaterials are comprehensive, relevant, and there is evidence of regular training sessions.
- AskRequest evidence of regular policy reviews. GoodRegular review schedules are documented and policies are updated according to the latest requirements.
- AskAsk for the budget allocation reports related to data protection. GoodThere is a clear and sufficient allocation for data protection tools and employee training initiatives.
04 - Mappings
link
Cross-framework mappings
How Annex A 8.12 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (6) expand_less | ||
| ISM-0565 | ISM-0565 requires email servers to prevent and track mislabelled emails by blocking, logging and reporting inappropriate protective markings | |
| ISM-0589 | ISM-0589 requires that MFDs are not used to scan or copy documents above the sensitivity/classification of the network they are connected to | |
| ISM-0682 | ISM-0682 requires Bluetooth functionality is not enabled on SECRET and TOP SECRET mobile devices to prevent data leakage via wireless pai... | |
| ISM-1089 | ISM-1089 requires email reply/forward tooling to prevent users from selecting a protective marking lower than the original email, reducin... | |
| ISM-1875 | ISM-1875 requires networks be scanned at least monthly to identify credentials stored in clear text | |
| ISM-2094 | ISM-2094 requires AI applications to implement content filtering to detect and block sensitive data exposure and improper output | |
| sync_alt Partially overlaps (9) expand_less | ||
| ISM-0659 | ISM-0659 requires content filtering of files traversing gateways or CDSs to prevent harmful or unauthorised content being imported/exported | |
| ISM-0661 | ISM-0661 holds users accountable for data transfers they perform | |
| ISM-0664 | ISM-0664 requires that exports from SECRET and TOP SECRET systems are reviewed and authorised by a trustworthy source prior to release | |
| ISM-0669 | Annex A 8.12 requires organisations to apply DLP measures across systems, networks, and devices processing sensitive information | |
| ISM-1187 | ISM-1187 requires that when data is manually exported from systems, it is checked to ensure it does not carry unsuitable protective marki... | |
| ISM-1192 | ISM-1192 requires gateways to inspect and filter data flows at the transport layer and above to prevent unsafe or unauthorised content tr... | |
| ISM-1535 | ISM-1535 requires processes and supporting procedures to prevent AUSTEO, AGAO, and REL information (textual and non-textual) from being e... | |
| ISM-1885 | ISM-1885 requires system owners to implement emanation security mitigation advice to reduce the risk of information leakage via electroma... | |
| ISM-2052 | ISM-2052 requires that event logs produced by software protect any sensitive data contained within them | |
| handshake Supports (16) expand_less | ||
| ISM-0267 | ISM-0267 requires blocking access to non-approved webmail services | |
| ISM-0325 | ISM-0325 reduces the risk of mishandling by ensuring connected media is treated at the highest sensitivity/classification of the system i... | |
| ISM-0591 | ISM-0591 specifies the use of evaluated peripheral switches to mitigate the risk of data leakage or unauthorized command execution across... | |
| ISM-0639 | ISM-0639 requires evaluated diode gateways/firewalls to control and constrain traffic between different security domains, primarily to re... | |
| ISM-1024 | ISM-1024 requires that notifications of undeliverable emails (e.g | |
| ISM-1085 | ISM-1085 requires mobile devices to encrypt sensitive or classified data when communicated over public network infrastructure to reduce e... | |
| ISM-1293 | Annex A 8.12 requires DLP measures for systems and networks handling sensitive information | |
| ISM-1299 | ISM-1299 aims to prevent theft, unauthorised access, and interception of information on mobile devices by discouraging risky behaviours (e.g | |
| ISM-1400 | ISM-1400 requires organisations to keep classified work data separate from personal data on privately-owned devices accessing sensitive s... | |
| ISM-1429 | ISM-1429 requires blocking IPv6 tunnelling at externally-connected network boundaries to prevent unauthorised data flows that can bypass ... | |
| ISM-1482 | ISM-1482 requires enforced separation of classified data from personal data on organisation-owned devices | |
| ISM-1778 | ISM-1778 requires that when data is manually imported, any data that fails security checks is quarantined until it is reviewed and either... | |
| ISM-1868 | ISM-1868 requires a strong preventative control: SECRET and TOP SECRET mobile devices must not use removable media unless ASD approval is... | |
| ISM-1924 | ISM-1924 focuses on preventing prompt injection so the AI does not generate or disclose sensitive or harmful content due to adversarial p... | |
| ISM-1930 | ISM-1930 requires organisations to prevent passwords being stored in Group Policy Preferences, reducing the likelihood of credential disc... | |
| ISM-1965 | ISM-1965 requires content checking for files imported or exported through gateways or CDSs to confirm they comply with security requirements | |
| link Related (3) expand_less | ||
| ISM-0240 | Annex A 8.12 requires organisations to apply data leakage prevention measures wherever sensitive information is processed, stored, or tra... | |
| ISM-1534 | Annex A 8.12 requires DLP measures to prevent sensitive information leakage | |
| ISM-1866 | Annex A 8.12 requires data leakage prevention measures to be applied to devices and systems handling sensitive information | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
school
Want to implement this control?
Mindset Cyber runs PECB-accredited ISO/IEC 27001 training that maps directly to the controls in this library.