ISO 27001:2022’s New DLP Requirement – Is Your Organization Ready?
If your organization is ISO 27001 certified or planning to be, there’s a critical update that demands your attention.
The 2022 revision of ISO/IEC 27001 introduced a new mandatory control: Data Loss Prevention (DLP). This isn't a guidance note or optional best practice; it’s a formal requirement, and the compliance deadline is approaching fast!
In this article, we’ll walk you through:
- What the new DLP requirement involves
- When the compliance deadline is
- What’s at risk if you're not ready
- And how to get ahead with a solution that meets both the letter and spirit of the standard
What Is ISO 27001 and Why It Matters
ISO/IEC 27001 is the international standard for managing information security. It provides a framework for organizations to identify, assess, and mitigate information-related risks. Globally recognized and widely adopted, ISO 27001 compliance is essential for demonstrating that your organization takes data protection seriously.
Whether you're a multinational enterprise or a highly regulated service provider, ISO 27001 helps you:
- Protect sensitive data, including intellectual property and personal information
- Comply with regional regulations like GDPR, HIPAA, or CCPA
- Strengthen trust with partners, customers, and regulators
- Reduce the financial and operational impact of data breaches
But with growing threats, especially from insiders and endpoints, the standard has evolved to keep pace. The 2022 update reflects that shift in a significant way.
The New Requirement: ISO/IEC 27001:2022 Control 8.1 – Data Leakage Prevention
In October 2022, ISO published a major update to the 27001 standard. Among the key changes was a new control requirement under section 8.1, focused entirely on Data Leakage Prevention.
This control requires organizations to apply data leakage prevention measures across systems, networks, and all devices that process, store, or transmit sensitive data.
Here's what organizations are now expected to do:
- Identify and classify sensitive information, including:
- Personal data (e.g. customer or employee information)
- Confidential business assets (e.g. pricing models, product designs)
- Intellectual property and trade secrets
- Personal data (e.g. customer or employee information)
- Continuously monitor all channels where data might leak, such as:
- Email
- USB or portable storage
- Cloud services and browser uploads
- File transfers
- Printing, scanning, and screen captures
- Email
- Prevent data exfiltration by:
- Blocking unauthorized actions
- Requiring data owner approval for exports
- Restricting copy/paste, printing, and uploading of sensitive content
- Blocking unauthorized actions
- Detect insider threats and malicious intent, including:
- Monitoring user behavior for anomalous activity
- Using deception techniques such as decoy files or honeypots
- Monitoring user behavior for anomalous activity
- Protect data in backups using encryption and physical controls
- Ensure legal and privacy compliance when monitoring personnel by addressing:
- Employment law
- Telecommunications interception
- Privacy and data protection regulations
- Employment law
This is a comprehensive shift; organizations must have operational and technical controls in place to comply.
When Does This Take Effect?
The new standard, ISO/IEC 27001:2022, was published on October 25, 2022. Organizations already certified under the 2013 version must transition by:
Deadline: October 31, 2025
That’s less than 18 months away. After this date:
- Certification bodies will no longer recognize the previous version
- Organizations that haven’t transitioned risk failing future audits
- You may face contractual or reputational consequences with partners who require ISO certification
For organizations seeking certification for the first time, the new DLP requirement applies immediately.
Why the DLP Requirement Matters to ISO and You
Data leakage—whether accidental or malicious, is one of the most common and costly risks organizations face today. Traditional perimeter security isn’t enough. Sensitive information increasingly leaves the organization through:
- Accidental email attachments
- USB file transfers
- Uploads to personal cloud drives
- Printouts of confidential documents
- Screenshots and screen sharing
- Insider threat actors are exploiting gaps in monitoring
ISO 27001:2022 acknowledges this shift and demands a modern, layered approach to protecting sensitive data. This includes real-time monitoring, preventive controls, and forensic accountability.
For your organization, it’s not just about compliance, it’s about risk reduction. Implementing proper DLP controls helps:
- Prevent data breaches before they happen
- Safeguard intellectual property and business strategy
- Maintain trust with customers, partners, and regulators
- Strengthen your cybersecurity posture in measurable ways
How InnerActiv Helps You Meet the Requirement
InnerActiv is an endpoint DLP and insider risk platform built for modern threats, and built to meet ISO 27001:2022 requirements.
Our platform helps you:
1. Identify and Classify Sensitive Content
- Automatically detects PII, IP, and confidential data, even in unstructured formats like screenshots, spreadsheets, or print jobs
2. Monitor All High-Risk Channels
- Gain visibility into data movement across:
- USB
- Email
- Cloud apps
- Copy/paste
- Print and screen capture
- USB
3. Block Risky Behavior in Real-Time
- Prevent unauthorized transfers, uploads, or actions involving sensitive content
- Quarantine suspicious activity or require manager/owner approval
4. Detect and Deceive Adversaries
- Use honeypots or decoy files to detect malicious access or reconnaissance
5. Maintain Legal and Ethical Compliance
- Role-based access controls for monitoring data
- Configurable data masking and opt-in policies
- Audit-ready logs for legal defensibility
Take Action Now—The Clock Is Ticking
The ISO 27001:2022 compliance deadline is fast approaching, and many organizations still have blind spots when it comes to endpoint data protection.
This new DLP requirement isn’t optional, and it’s not theoretical. If you process, store, or transmit sensitive data, and especially if you’re in a regulated industry, you need to act now.
InnerActiv can help you:
- Rapidly align with the new standard
- Demonstrate audit readiness
- Protect your most valuable data across every risk vector
Need help mapping your current capabilities to the new ISO requirement?
Contact us to schedule a consultation or see a demo of our solution in action.
September 2025 Insider Threat Round-up: Lessons from Real-World Attacks
Discover the major insider threat incidents from September 2025, including the $1.67M Hyderabad fintech breach and European airport disruptions. Learn how to strengthen your insider threat program with actionable insights from National Insider Threat Awareness Month.
Payroll Fraud in Public Schools: Lessons from the 2025 Mustang Case and Prevention Strategies
Payroll fraud in public institutions is more common than many leaders realize, with schemes typically running undetected for 30 months. The Mustang Public Schools case highlights critical vulnerabilities in public entities: high-trust environments, limited oversight budgets, and decentralized systems.
