A.8.12 Data Leakage Prevention

What is this control?

ISO 27001 control A.8.12 Data Leakage Prevention detects and prevents unauthorised disclosure and extraction of information particularly concerning PII and other sensitive data classifications. The control replaces reliance on user behaviour and procedural controls with automated, technology-enforced enforcement across key data exfiltration channels including email, file sharing, removable media, and cloud applications implementing a Monitor-Warn-Block phased approach.

How to implement in Microsoft 365

Implement A.8.12 by establishing data classification via Microsoft Purview Sensitivity Labels based on A.5.12 covering Public, Internal, Confidential, and Highly Confidential levels. Create DLP policies triggered by Sensitive Information Types or Sensitivity Labels. Deploy location-specific policies for Exchange Online, SharePoint Online, OneDrive, Teams, Endpoints, and cloud applications.

Start policies in Monitor mode to audit data flows without impacting users, then progress to Warn and Block after false positive tuning. Configure Endpoint DLP via Defender for Endpoint integration to monitor and control sensitive file transfers to USB drives and unapproved cloud services.

What an auditor looks for

Auditors will verify Information protection is configured via Sensitivity Labels or DLP-capable licensing. They will check label taxonomy covers required classification levels. Auditors will verify at least one DLP policy is deployed and enabled across M365 workloads.

They will check DLP policies follow Monitor-Warn-Block progression. Auditors will verify DLP alerts are generated and actively reviewed with 80% or more moved from New status to In Progress or Resolved. They will check evidence of policy tuning based on false positive analysis.