How DLP can help you with ISO 27001 compliance

The days when information security was far down the list of priorities are long over. In the age of cloud storage and SaaS providers, sensitive data is more accessible than ever but also more exposed and easier to lose if not properly protected. Recent world trends and events have also led to increased cybercriminal activity. As reported by Security Magazine, 92% of data breaches in Q1 2022 were malicious in their intent. The number of cybersecurity incidents steadily and alarmingly rises – according to the same source, the number of breaches in Q1 represents a double-digit increase over the same time last year.

In this difficult cybersecurity landscape, it is imperative for organizations to introduce company policies and business processes to effectively manage information security. Businesses also want to be able to ensure that all their partners, contractors, software providers, and other organizations in the supply chain follow similar practices to effectively eliminate vulnerabilities and security risks. Therefore, an increasing number of organizations are either required to demonstrate security compliance using international standards or voluntarily decide to do so in order to improve their market position. And the standard that is most commonly used for that purpose is ISO/IEC 27001.

What is ISO/IEC 27001?

ISO/IEC 27001, often simply referred to as ISO 27001, was first introduced by the International Organization for Standardization (ISO) and the Internation Electrotechnical Commission (IEC) in 2005 and then revised twice – in 2013 globally and in 2017 for Europe only (to include approval by CEN/Cenelec). Its full name is “Information technology – Security techniques – Information security management systems – Requirements.”

This security standard focuses on developing and maintaining information security management systems (ISMS). An ISMS is a set of policies and procedures that ensure the safety of the organization’s assets. In addition to controls that focus on IT and data security, such systems often include other aspects such as physical security.

The ISO 27001 standard can help the organization in several ways. It can be used early on as a guideline when designing and implementing an ISMS. It can also be the goal of audits to demonstrate to both internal and external stakeholders that information security is well-managed.

What is included in the ISO 27001 standard?

The ISO 27001 text has a short introduction, focusing on the definitions, the context, and general information that is useful when designing and operating an ISMS, such as tips for risk assessment, risk management, support, measuring performance, and corrective actions. However, the bulk of the content is Annex A, which contains 114 security controls divided into 14 groups and 35 categories.

It is very important to note that in the 2013 update of ISO 27001, the security controls included in Annex A are there as suggestions only (unlike in the original 2005 version). Organizations are no longer required to use these controls to obtain ISO 270001 certification and may include their own controls if appropriate. This makes the standard age well with the development of technologies, for example, it can be adjusted to cover cloud services, which were unheard of 9 years ago at the time of the last update.

ISO 27001, data security, and data loss prevention

At the time the ISO 27001 standard was originally devised, and even at the time it was last updated, there were few effective data loss prevention solutions. Modern developments in technology made it possible to use modern operating systems and hardware along with technologies such as machine learning to create solutions that completely automate data loss prevention. Therefore, it would be pointless to look for closely-related controls in Annex A of ISO/IEC 27001:2013.

However, even before such technologies were available, ISO 27001 already suggested security controls that could be addressed with the use of DLP. Here are six such controls that are effectively covered or extended with the use of modern DLP solutions such as Endpoint Protector.

A.8.2.1 Information classification – Handling of assets

Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

A modern DLP solution supports this security control in two ways. First of all, such tools are able to automatically discover information assets that are handled unsafely, for example, intellectual property information stored in a text file on a personal laptop of an employee. Second of all, they are able to enforce specific handling, such as deletion or encryption of unsafely stored sensitive information. This is efficient both in eliminating accidental data leakage as well as eliminating many potential insider threats.

A.8.3.1 Media handling – Management of removable media

Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.

Another feature of modern DLP solutions is the ability to enforce control of all removable media as well as peripheral ports. The organization may implement security policies by, for example, identifying specific types of devices and applying granular access control or enforcing encryption.

A.13.2.1 Information transfer – Information transfer policies and procedures

Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.

While the ISO 27001 standard focuses on policies, procedures, and controls, modern DLP solutions go beyond security awareness by actually monitoring and preventing the potential transfer of information out of the company. IT security features such as content-aware DLP make it possible for such solutions to recognize protected information as defined by the organization (see A.8.2.1) and prevent unauthorized file and clipboard leakage in real-time.

A.13.2.3 Information transfer – Electronic messaging

Information involved in electronic messaging shall be appropriately protected.

As mentioned in A.13.2.1, modern DLP solutions are able to prevent unauthorized information transfer via electronic messaging by monitoring operating system clipboards. This prevents accidental or intended data leakage, which would happen if end-users inside the organization copied and pasted sensitive information into electronic messaging apps such as email or instant messengers.

A.18.1.4 Privacy and protection of personally identifiable information

Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable.

Controls applicable to personal data are of top importance to organizations, and DLP-focused security solutions are also able to go beyond what is required in this scope. This is possible through automatic PII detection and protection against leakage through channels such as removable media (see A.8.3.1), third-party applications (see A.13.2.1), and electronic messaging (see A.13.2.3).

A.18.1.5 Regulation of cryptographic controls

Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.

One of the biggest advantages of modern data protection solutions is the functionality that enables such software to enforce encryption of removable media (see A.8.3.1) when transferring information outside of the organization, thus ensuring data privacy and preventing potential data loss in transit.

ISO 27001 and beyond

Organizations that strive for ISO 27001 certification are often under obligation to meet other compliance requirements such as the GDPR in Europe, PCI DSS for financial institutions, or HIPAA for medical organizations in the USA. While most such standards approach data security through user awareness, education, and access control, you can go beyond and ensure that your data is even safer by simply making it impossible to leak from endpoint devices. Therefore, DLP is your best choice for making sure that data security compliance is a piece of cake.