Data Leakage Prevention and Data Deletion: ISO 27001 Controls 8.12 and 8.12 Explained

Posted on

ISO 27001:2022 introduced several new controls designed to reflect modern security practices and the ways organisations use and manage data. Two of the most practical additions sit in the operational controls: 8.12 (data leakage prevention) and 8.10 (data deletion).

Both address longstanding weaknesses in many ISMSs (information security management systems). They focus on the lifecycle of data, the risks created by its movement and the need to prevent unnecessary retention. They also bring ISO 27001 closer to regulatory expectations, particularly around access control, monitoring and data minimisation.

This blog post explains what the two controls require, why they were introduced and how to implement them.

Why new controls were needed

The 2022 update to ISO 27001 was the first major revision of Annex A since 2013. During the intervening decade, digital transformation, Cloud adoption and remote working changed the way organisations store and handle information.

Data now moves across more systems, devices and third parties than ever before, which created two related problems:

  • Growing exposure to data leakage through misconfiguration, weak access control, human error or compromised accounts.
  • Widespread over-retention of data because organisations lack clear deletion policies and consistent operational processes.

Controls 8.12 and 8.10 address these issues by standardising expectations for preventing data loss and disposing of data securely and systematically.

Control 8.12 – data leakage prevention

Control 8.12 requires organisations to implement measures that prevent the unauthorised disclosure, extraction or movement of information. It covers both accidental and deliberate leakage, whether caused by users, compromised credentials or insecure systems.

The scope includes technical, procedural and human factors. The intent is not only to deploy data loss prevention tooling but also to strengthen the wider controls that reduce the likelihood of leakage.

ISO 27002 highlights several areas:

  • Ensuring data is classified and handled according to its classification.
  • Using strong authentication – including MFA (multi-factor authentication) and risk-based approaches – for sensitive systems.
  • Encrypting data in transit and at rest.
  • Monitoring data movement and reacting to anomalies.
  • Deploying data loss prevention technologies where appropriate.
  • Training staff on secure handling and the risks of data leakage.

Why data leakage prevention matters

Most modern breaches involve data movement: files emailed outside the organisation, Cloud storage misconfigurations, lost devices, compromised accounts, or unauthorised access to SaaS platforms.

Because organisations depend heavily on distributed digital services, they must implement controls that:

  • Detect unusual access patterns.
  • Prevent bulk downloads or transfers of sensitive data.
  • Limit the risk of insiders taking data.
  • Stop common human errors, such as emailing the wrong recipient.
  • Reduce the impact of credential compromise.

Control 8.12 formalises the need to manage these risks systematically, rather than relying on ad hoc technical safeguards.

Implementation steps

1. Classify your information

Data leakage controls depend on data classification. You must know which information is sensitive, where it sits, and who can access it.

Start with:

  • A clear classification scheme.
  • Labelling rules for documents, systems and data repositories.
  • Handling requirements for each class.

These requirements should feed into access control, encryption, monitoring and acceptable use.

2. Strengthen authentication

ISO 27002 emphasises the role of multi-factor authentication. Most Cloud services now support MFA and conditional access, including risk-based authentication.

Implement:

  • MFA for all administrative accounts and all access to sensitive data.
  • Conditional access rules that block or challenge access based on location, device or anomalous behaviour.
  • Periodic reviews of access rights to ensure accounts only have the privileges required.

3. Use encryption consistently

Data leakage risks often arise when data moves between systems or is stored on unmanaged devices. Encryption must therefore be applied:

  • To data in transit, using modern TLS configurations.
  • To data at rest in Cloud storage, databases and endpoint devices.
  • To removable media, if still used.

Where encryption is already built in (for example, in major Cloud services), audit the configuration rather than assume it is enabled.

4. Monitor data movement

Monitoring is central to the control. Implement:

  • Logging of access to sensitive repositories.
  • Alerts for unusual transfer patterns or excessive downloads.
  • Monitoring for risky behaviours such as mass file deletion, forwarding rules in email accounts or unusual API activity.

Small organisations can meet the intent through Cloud logs and simple alerts. Larger ones may require SIEM integration and automated anomaly detection.

5. Deploy DLP technology where appropriate

DLP tools help prevent specific leakage events, such as copying large volumes of data to external devices or sending files to unknown domains.

Implement DLP where:

  • Sensitive data moves frequently.
  • Staff use personal devices.
  • Cloud collaboration tools are widely used.
  • Regulatory exposure is high.

For smaller organisations, Cloud-native DLP (e.g. Microsoft Purview, Google Workspace DLP) may be enough.

6. Train staff on secure handling

Human error remains the most common cause of data leakage. Training should cover:

  • How to classify and label information.
  • What information can be emailed externally.
  • How to use collaboration tools securely.
  • How to handle removable media and mobile devices.
  • How to report potential leakage.

This can be reinforced through simulated exercises or targeted awareness communications.

7. Maintain records and evidence

Auditors will look for:

  • Data classification rules and handling requirements.
  • Access control and MFA configuration evidence.
  • Monitoring logs and alerting thresholds.
  • Records of actions taken when suspicious activity occurred.
  • Deployment of data loss prevention tooling and related rulesets.
  • Training records.

The objective is to demonstrate that leakage prevention is consistent, risk-based and integrated into everyday processes.

Control 8.10 – data deletion

Control 8.10 requires organisations to delete data when it is no longer needed, according to defined retention rules, and to ensure that deletion is secure, complete and verifiable.

The control applies to all types of data: customer information, employee data, system logs, audit data, Cloud content, backups and test data.

Deletion must consider technical, legal and business requirements. For example:

  • Retention rules based on regulations or contractual obligations.
  • Operational needs, such as the availability of logs for incident investigation.
  • The secure disposal of all copies, including Cloud replicas and endpoints.
  • Verification that deletion has occurred.

Why data deletion matters

Many data breaches stem from information an organisation had no business keeping. Unnecessary data retention increases:

  • The potential impact of a breach.
  • Regulatory exposure.
  • Storage and backup costs.
  • Complexity in responding to subject access or erasure requests.

Modern Cloud services also make it easy to accumulate forgotten copies of data across systems, test environments and employee devices.

Control 8.10 addresses this by requiring organisations to embed deletion into the information lifecycle.

Implementation steps

1. Identify your retention requirements

Start by mapping retention obligations across:

  • Legal and regulatory requirements.
  • Contractual commitments.
  • Operational and business needs.
  • Security and forensic needs (for example, log retention periods).

Define clear retention rules, ideally on an asset-by-asset basis.

2. Document a data retention and deletion policy

Your ISMS should include:

  • Who is responsible for applying retention rules.
  • How deletion should be performed.
  • How to handle exceptions.
  • Requirements for secure disposal methods.
  • The evidence to be retained after deletion.

Link this policy with classification, backup management and access control.

3. Build deletion into technical processes

Processes should ensure that data is deleted from:

  • Primary systems and databases.
  • Cloud storage buckets and object stores.
  • Email archives and collaboration tools.
  • File servers and SharePoint sites.
  • Endpoints, including mobile devices.
  • Backups, where feasible, in line with technical constraints.

Where complete deletion from backups is not possible, maintain a clear exception that explains the constraints and associated risk treatment.

4. Verify deletion

ISO 27002 stresses the need to confirm that data has actually been deleted. This might entail:

  • System logs confirming deletion actions.
  • Screenshots or audit records.
  • Automated retention rule enforcement in Cloud platforms.
  • Certificates of destruction for physical media.

Auditors will expect sample evidence.

5. Apply deletion before re-use

Where equipment is re-used internally or returned to a supplier, ensure:

  • All storage media is wiped.
  • Cached credentials are deleted.
  • Local files and residual data are removed.
  • Mobile and IoT devices are reset to factory settings.

6. Keep an audit trail

Evidence should show:

  • Retention rules.
  • Deletion approvals for high-risk data.
  • Logs showing the date and method of deletion.
  • Any exceptions and the risk treatment applied.

How the two controls work together

Controls 8.12 and 8.10 strengthen the data lifecycle within the ISMS:

  • 8.12 reduces the likelihood that data is leaked before you can delete it.
  • 8.10 reduces the amount of data available to be leaked in the first place.

Together, they reinforce the principle of minimising exposure and ensuring that data is both protected when in use and securely removed when no longer required.

Both controls also align with regulatory expectations around data minimisation, access control, pseudonymisation, encryption and secure disposal.

Integrating the controls into your ISMS

Both controls touch multiple parts of the ISMS:

  • Risk assessment – leakage and retention risks must be documented and treated.
  • Access management – classification and authentication measures must align.
  • Supplier security – ensure Cloud and managed service providers support your deletion and data loss prevention needs.
  • Monitoring and logging – capture sufficient evidence of access and deletion.
  • Incident management – leakage events must trigger investigations, reporting and lessons learned.
  • Asset management – all systems and repositories must be included in retention and deletion processes.

This cross-linking is important for auditability. Auditors expect to see how the controls influence wider ISMS activities.

How we can help

If you need support implementing or reviewing the ISO 27001:2022 controls, our consultants can guide you through the technical, procedural and operational changes required. Whether you need a risk-based assessment of data leakage exposure, help developing retention and deletion processes, or a full transition gap analysis, we have the expertise to support every stage of your ISMS implementation and maintenance.

Find out more about our ISO 27001 compliance services

The post Data Leakage Prevention and Data Deletion: ISO 27001 Controls 8.12 and 8.12 Explained appeared first on IT Governance Blog.

Related Posts