No budget to implement control A.8.12 Data Leak Prevention
Control A.8.12 DLP is relevant to us as Intellectual Property that's stored largely on Google Drive is one of our most important assets.
However, we do not have the budget to enable Google's DLP rules.
How do we explain this in our documentation in a way that we still pass the ISO 27001 audit?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
If you do not have enough budget to implement a control, your top management needs to accept this risk - however, this decision needs to be based on criteria where the investment needed for this control is higher than the damage from a potential incident.
To accept the risk, you should list this risk as acceptable in section 4 Acceptance of Residual Risks, and mark the control A.8.12 as not applicable.
By the way, implementing Google's DLP rules is not the only way to implement control A.8.12 Data leakage prevention.
Hi Rhand.
Thanks for your explanation.
How else would you suggest we implement control A.8.12 Data leakage prevention?
A way to implement control A.8.12 Data leakage prevention is by implementing the following documents (the mentioned sections specifically cover the requirements of control A.8.12):
- Information Classification Policy (https://advisera.com/27001academy/documentation/information-classification-policy/)
- section 3.4 Handling classified information already provides a good set of rules for preventing data leakage (e.g., sensitive documents must not be exchanged via services such as FTP, instant messaging, etc.), but you can add more rule in case of specific needs.
- Section 3.5 Handing data exposure provides rules to prevent leaked data from being exploited (e.g., by application of data masking)
- Security Procedures for IT Department (https://advisera.com/27001academy/documentation/security-procedures-for-it-department/)
- sections 3.4 Network security management and 3.9 System monitoring helps you define which systems for monitoring and prevention of data leakage should be used by administrators and their parameters (e.g., log review frequency)
- IT Security Policy (https://advisera.com/27001academy/documentation/it-security-policy/)
- section 3.14 Internet use provides rules for what is and what isn’t allowed for regular users to minimize risks of data leakage (e.g., use o proper communication channels)
For further information, see:
- Detailed explanation of 11 new security controls in ISO 27001:2022 https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/
Comment as guest or Sign in
Jun 19, 2023