Data Resilience: Protecting Against Leaks, Loss, and Downtime with ISO 27001:2022 Controls 8.12 – 8.14

A.8.12 Data leakage prevention

This control aims to detect and prevent the unauthorized disclosure and extraction of information by individuals or systems.

This is an extremely common way that data breaches occur, by data being inadvertently leaked to those unauthorised to see or receive it. 

To reduce the risk, companies should consider:

• Identifying and classifying information to protect it (e.g., PII and other personal information, product designs and other intellectual property that is critical to your business). This is outlined in more detail in control A.5.12 and A.5.15
• Monitoring channels where data can exit your systems (e.g., email, file transfers, portable storage devices and mobile devices)
• Acting to prevent information from leaking (e.g., quarantining emails with sensitive information)

Automated tools can be used to identify, monitor and act on any sensitive data potentially exiting the system.

These tools can be standalone, scanning type tools such as scanning information in emails, or when uploading data to third-party cloud services. 
Existing tools used to interact with data should also be assessed to ensure that functionality which exposes sensitive information is known, managed, and disabled where appropriate. An example of this is preventing the ability to copy database entries into a spreadsheet. This is a mechanism which hackers have used to extract data and then export it out of the system in high profile data breaches. Limiting the ability of users to copy and paste data is another control you should consider Implementing within your systems.
Where there is a need to export data to other systems, there should be an approval step, where the data owner can approve the export, and hold users accountable for their actions.

Training your staff on sensitive data handling will help them to minimise the human error aspect and help them to keep data security front of their mind when they are using and sharing the company’s data in the line of their work. This can include things like the use of screenshots, photos of screens, and even the basic things like getting them to think about what data they may be sending, and whether the recipient(s) are appropriate for the data. Of course, this should be backed up by appropriate terms and conditions to prevent and give you recourse for deliberate actions.

Backups are a common area which can be overlooked and taken advantage of. Any sensitive information being backed up should be protected by encryption, appropriate access controls and physical protection of any storage media which holds the backups.

A.8.13 Information backup

This clause is all about backups of your information systems. The objective of this sub-clause is to protect against loss of your data.

You need to ensure you have backup copies of your information, software, and system images.  The backups need to be taken and tested regularly.

Don’t forget that need to decide whether you need backups of your information.  Some of your information is in the cloud. So, make sure you check with your cloud providers on their backup policies.

Your information processing facilities should all be backed-up regularly. This should also be regularly monitored and tested by qualified IT staff.
 

A.8.14 Redundancy of information processing facilities

The objective here is to ensure the continued availability of information processing facilities.  So, you need to build in sufficient redundancy to meet your requirements if things go wrong.

Key here is to identify and prioritise your key information and systems needed to operate your business and support customers. By doing this, and documenting it, you can turn to this in case of an outage and not have to analyse and make decisions under pressure,

The next key is to test the failover periodically to give confidence that the processes and systems will failover smoothly if need under the pressure of an outage. 

You should work with your IT suppliers to build sufficient redundancy into processing facilities.  Don’t forget to document this redundancy into your business continuity plan.

Key items to consider for the redundancy and business continuity

1. Create a BCP.
2. Involve as many people and contractors as you can to get the BCP in place.
3. Test each area of the plan with your employees and contractors to ensure everyone is prepared.
4. Work with your IT suppliers to ensure there is plenty of redundancy in your processing facilities.

Other Posts

• Other posts in the series can be found at: A Strategic Approach to ISO 27001 Implementation
• Read the previous post in the series: If you don’t have it, malicious actors can’t get it. Deleting, masking and preventing data leakage with controls A.8.10 and A.8.11.
• Read the next post in the series: Watch, Detect, Respond: Tips for Logging & Monitoring Activity on your system with Controls A.8.15 and A.8.16