Key Points:

• ISO 27001:2022 is the latest version of the international standard for information security management systems, featuring 11 new controls, including DLP (Data Loss Prevention).
• It emphasises the need for Data Loss Prevention (DLP) measures, covering systems, networks, and devices processing, storing, or transmitting sensitive information, including cloud and SaaS apps.
• Metomic helps businesses comply with ISO 27001:2022's DLP requirements by automatically detecting and protecting sensitive data in SaaS apps like Google Drive, Slack, and Jira, offering remediation, redaction, and real-time employee notifications.

Having ISO 27001 in place is a given for most cybersecurity teams.

As well as being a key requirement for partners who want to work with the business, it also helps the team show that they have an effective strategy in place when it comes to cyber attacks.

Although ISO 27001 has been around for a while, the newest updates to the standard show that the regulations are adapting to the fast-paced developments of the cybersecurity world.

What is ISO 27001:2022?

ISO 27001 is an international standard, created to manage information security management systems.

Its latest iteration is ISO 27001:2022. It was released in October last year, and includes 11 new controls - one of which focuses on DLP (Data Leakage Prevention).

Although 11 new controls to contend with sounds like a lot, don’t panic. You might already have some of these covered, and if not, you have until October 31st, 2025 to get them in place.

But as with anything in the cybersecurity world, there’s no time like the present. Getting everything sorted early can ensure you meet the ISO 27001:2022 requirements, and you’ll be protecting your sensitive data in the process.

What are the new regulations introduced in the latest update?

There are 11 new regulations introduced:

1. Threat intelligence
2. Information security for use of cloud services
3. ICT readiness for business continuity
4. Physical security monitoring
5. Configuration management
6. Information deletion
7. Data masking
8. Data leakage prevention
9. Monitoring activities
10. Web filtering
11. Secure coding

What does the regulation say about DLP?

ISO 27001:2022 states that your DLP strategy should aim to detect and prevent the loss of sensitive data like PHI and PII.

The regulations also state:

“Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information.”

To meet this, you’ll need to be protecting your physical assets such as devices, USB sticks etc, but you’ll also need to be protecting your cloud apps, including any SaaS apps you use within your business.

With more and more data being hosted in the cloud, this update makes a lot of sense. Data breaches are becoming ever more costly for businesses, while data is becoming a currency in itself for hackers.

A DLP software like Metomic can help you achieve this automatically with around the clock detection of sensitive data in your SaaS apps such as Google Drive, Jira, and Slack, as well as remediation and redaction abilities to comply with your company’s security policy.

How do you become ISO 27001:2022 compliant?

Technically, you won’t need to provide documentation to show that you’re compliant with this, but it’s worth setting out your DLP strategy, as well as ‘Acceptable Use’ and ‘Information Security Policy’ documents for your employees to minimise the risk of data leaks.

There are a few things you can do to make sure you’re complying with ISO 27001:2022:

1. Stay one step ahead and become proactive when it comes to data leakage prevention
2. Ensure that tight access controls are implemented so sensitive data is restricted to the people who genuinely need to see it
3. Classify your data so you can understand the risk level tied to each asset you have, and therefore the potential for a data leak to stem from it
4. Limit your employees’ ability to copy and paste data from particularly sensitive documents or systems
5. Monitor channels or systems that hold a lot of sensitive data - either manually or with a DLP solution such as Metomic
6. Around 80% of data leaks stem from negligent employees, rather than bad actors, so keeping your employees up to date with your latest policies is key. You can do this through Metomic’s real-time employee notifications, rather than annual security training sessions that are quickly forgotten

How can Metomic help?

As well as ensuring you comply with A.8.12 (Data Leakage Prevention), Metomic can also help you align with these new regulations too:

A.8.10 - Information deletion

With automatic redaction abilities, Metomic can remove sensitive data from SaaS apps like Slack and Google Drive, without getting in the way of your employees doing their jobs.

A.8.11 - Data masking

Metomic encrypts data so that it’s unable to be identified by prying eyes. We also don’t store any of our customer data in our platform, we store encryptions of it. That means if we suffer a data breach, our customer data isn’t at risk.

A.8.12 - Data Leakage Prevention.

Metomic helps you take steps to protect your most sensitive data by automatically remediating data risks in your ecosystem.

A.8.16 - Monitoring activities

Metomic automatically monitors your SaaS apps for sensitive data, around the clock, giving you hours of your time back. No more manually scrolling through channels to see whether sensitive data has been shared, it’ll all be waiting for you as soon as you log in.

A.8.28 - Secure coding

We identify secrets and keys that should stay protected, to ensure all of your coding is secured, especially in apps like GitHub.

Let’s see how we can work together

A data loss prevention software like Metomic is an ideal fit for ensuring you’re complying with ISO 27001:2022. To see how we can help your business, book a demo of the Metomic platform with one of our SaaS Security Specialists, and we’ll tell you where your sensitive data is lurking, and how we can help you protect it.