What Changed Between the 2013 and 2022 Versions? ISO 27001:2022 Annex A 8.12

ISO 27001 Annex A 8.12 - what changed in the 2022 update

When you sit down to compare the 2013 and 2022 versions of ISO 27001, you might go looking for the direct ancestor of Annex A 8.12. The reality? You won’t find one. Annex A 8.12: Data Leakage Prevention (DLP) is a brand-new, explicit control introduced in the 2022 update. While the 2013 standard certainly cared about keeping data secret, it lacked a dedicated, technical requirement for the modern tools and processes we now use to stop data from walking out the door.

The introduction of this control is a direct response to the way work has changed over the last decade. With the explosion of cloud services, remote working, and instant messaging, the “perimeter” of the office has dissolved. Annex A 8.12 formalises the need for active technology to monitor and block unauthorised data transfers.

Table of contents

The Evolution: From Implied Security to Explicit Control

In the ISO 27001:2013 version, data leakage was often managed indirectly through a combination of controls like Control 13.2.1 (Information transfer policies) and Control 12.1.1 (Documented operating procedures). You had policies for how to send files, but you weren’t necessarily required by the standard to have a technical “safety net” to catch mistakes.

In the 2022 revision, the structure shifted from 14 domains to 4 themes. Annex A 8.12 was added as a Technological Control. According to Hightable.io, the transition to the 2022 standard requires organisations to move beyond “hoping” employees follow the transfer policy and instead implement technical measures that can proactively detect and prevent exfiltration.

What Exactly is Annex A 8.12 Data Leakage Prevention?

The core requirement of Annex A 8.12 is that “Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information.” This is both a Preventative and a Detective control.

The standard asks you to look at three specific states of data:

  • Data at Rest: Protecting files sitting on servers, cloud storage, or backup drives.
  • Data in Transit: Monitoring information as it moves via email, API calls, or web uploads.
  • Data in Use: Controlling what happens when a user is actively working with data, such as preventing copy-pasting into unauthorised apps or taking screenshots.

Key Requirements of the New 8.12 Control

Because this control is new, you cannot simply carry over your 2013 documentation. You need to establish a fresh approach. Here is what the 2022 standard expects you to address:

  • Identification of Sensitive Data: You cannot prevent leakage if you don’t know what is sensitive. This control is heavily dependent on your Information Classification (A 5.12).
  • Monitoring Channels: You are expected to monitor common leakage points, including corporate email, personal webmail, cloud storage sites (like Dropbox or Google Drive), and physical ports (like USB drives).
  • Actionable Alerts: It isn’t enough to just log a leak. The standard looks for evidence that your system can actively block or alert the security team to suspicious bulk downloads or transfers.
  • User Behaviour: The guidance suggests considering restrictions on “human” leakage, such as managing the use of screenshots or even the use of cameras in highly sensitive environments.

The Role of Attributes in Annex A 8.12

A major feature of the 2022 update is the introduction of “Attributes” to help you categorise controls. According to Hightable.io, these are essential for modern risk management. For Annex A 8.12, the attributes are:

AttributeValue for Annex A 8.12
Control TypePreventative, Detective
Information Security PropertyConfidentiality
Cybersecurity ConceptProtect, Detect
Operational CapabilityInformation Protection

Practical Steps for Compliance

If you are transitioning to the 2022 standard, you need to prove that your DLP measures are more than just a paragraph in a handbook. Hightable.io emphasizes that auditors will look for operational evidence. Here is how to get ready:

  1. Update Your Policies: Create or update a topic-specific policy on data leakage prevention that defines what tools are used and what “sensitive data” looks like.
  2. Implement Technical Tooling: This might include endpoint DLP software, email gateway filters, or Cloud Access Security Brokers (CASB).
  3. Enforce Restrictions: Consider technical blocks on USB ports or “read-only” permissions for high-risk users.
  4. Set Up Monitoring: Ensure your IT or Security team receives alerts for anomalous data movement, such as an employee downloading 5GB of data late at night.
  5. Document the Review: Keep logs of “false positives” and real incidents to show that the system is being tuned and monitored.
ISO 27001 Document Templates
ISO 27001 Document Templates
Get Auditor Approved ISO 27001 Templates

Why the Change Matters

The move from 2013 to 2022 reflects a “Zero Trust” world. We no longer assume that once a person is inside the network, they can be trusted with everything. Annex A 8.12 acknowledges that most data breaches happen through legitimate accounts, either via compromised credentials or “insider threats.” By making DLP an explicit requirement, ISO 27001:2022 helps you build a more resilient, data-centric security posture.

Final Thoughts on the Transition

The jump to ISO 27001:2022 Annex A 8.12 is one of the most practical upgrades in the new standard. While it requires new technical effort, it offers some of the highest protection value for your organization. As Hightable.io highlights, the goal isn’t just to “have a tool,” but to have a process where your data classification, access rights, and monitoring work in harmony.