All Articles
Jim Mazotas
June 20, 2025
8
min
Technology

ISO 27001:2022’s New DLP Requirement – Is Your Organization Ready?

If your organization is ISO 27001 certified or planning to be, there’s a critical update that demands your attention.

The 2022 revision of ISO/IEC 27001 introduced a new mandatory control: Data Loss Prevention (DLP). This isn't a guidance note or optional best practice; it’s a formal requirement, and the compliance deadline is approaching fast!

In this article, we’ll walk you through:

  • What the new DLP requirement involves

  • When the compliance deadline is

  • What’s at risk if you're not ready

  • And how to get ahead with a solution that meets both the letter and spirit of the standard

What Is ISO 27001 and Why It Matters

ISO/IEC 27001 is the international standard for managing information security. It provides a framework for organizations to identify, assess, and mitigate information-related risks. Globally recognized and widely adopted, ISO 27001 compliance is essential for demonstrating that your organization takes data protection seriously.

Whether you're a multinational enterprise or a highly regulated service provider, ISO 27001 helps you:

  • Protect sensitive data, including intellectual property and personal information

  • Comply with regional regulations like GDPR, HIPAA, or CCPA

  • Strengthen trust with partners, customers, and regulators

  • Reduce the financial and operational impact of data breaches



But with growing threats, especially from insiders and endpoints, the standard has evolved to keep pace. The 2022 update reflects that shift in a significant way.

The New Requirement: ISO/IEC 27001:2022 Control 8.1 – Data Leakage Prevention

In October 2022, ISO published a major update to the 27001 standard. Among the key changes was a new control requirement under section 8.1, focused entirely on Data Leakage Prevention.

This control requires organizations to apply data leakage prevention measures across systems, networks, and all devices that process, store, or transmit sensitive data.

Here's what organizations are now expected to do:

  1. Identify and classify sensitive information, including:

    • Personal data (e.g. customer or employee information)

    • Confidential business assets (e.g. pricing models, product designs)

    • Intellectual property and trade secrets
  2. Continuously monitor all channels where data might leak, such as:

    • Email

    • USB or portable storage

    • Cloud services and browser uploads

    • File transfers

    • Printing, scanning, and screen captures


  3. Prevent data exfiltration by:

    • Blocking unauthorized actions

    • Requiring data owner approval for exports

    • Restricting copy/paste, printing, and uploading of sensitive content


  4. Detect insider threats and malicious intent, including:

    • Monitoring user behavior for anomalous activity

    • Using deception techniques such as decoy files or honeypots


  5. Protect data in backups using encryption and physical controls


  6. Ensure legal and privacy compliance when monitoring personnel by addressing:

    • Employment law

    • Telecommunications interception

    • Privacy and data protection regulations


This is a comprehensive shift; organizations must have operational and technical controls in place to comply.

When Does This Take Effect?

The new standard, ISO/IEC 27001:2022, was published on October 25, 2022. Organizations already certified under the 2013 version must transition by:

Deadline: October 31, 2025

That’s less than 18 months away. After this date:

  • Certification bodies will no longer recognize the previous version

  • Organizations that haven’t transitioned risk failing future audits

  • You may face contractual or reputational consequences with partners who require ISO certification

For organizations seeking certification for the first time, the new DLP requirement applies immediately.

Why the DLP Requirement Matters to ISO and You

Data leakage—whether accidental or malicious, is one of the most common and costly risks organizations face today. Traditional perimeter security isn’t enough. Sensitive information increasingly leaves the organization through:

  • Accidental email attachments

  • USB file transfers

  • Uploads to personal cloud drives

  • Printouts of confidential documents

  • Screenshots and screen sharing

  • Insider threat actors are exploiting gaps in monitoring


ISO 27001:2022 acknowledges this shift and demands a modern, layered approach to protecting sensitive data. This includes real-time monitoring, preventive controls, and forensic accountability.

For your organization, it’s not just about compliance, it’s about risk reduction. Implementing proper DLP controls helps:

  • Prevent data breaches before they happen

  • Safeguard intellectual property and business strategy

  • Maintain trust with customers, partners, and regulators

  • Strengthen your cybersecurity posture in measurable ways



How InnerActiv Helps You Meet the Requirement

InnerActiv is an endpoint DLP and insider risk platform built for modern threats, and built to meet ISO 27001:2022 requirements.

Our platform helps you:

1. Identify and Classify Sensitive Content

  • Automatically detects PII, IP, and confidential data, even in unstructured formats like screenshots, spreadsheets, or print jobs

2. Monitor All High-Risk Channels

  • Gain visibility into data movement across:

    • USB

    • Email

    • Cloud apps

    • Copy/paste

    • Print and screen capture

3. Block Risky Behavior in Real-Time

  • Prevent unauthorized transfers, uploads, or actions involving sensitive content

  • Quarantine suspicious activity or require manager/owner approval

4. Detect and Deceive Adversaries

  • Use honeypots or decoy files to detect malicious access or reconnaissance

5. Maintain Legal and Ethical Compliance

  • Role-based access controls for monitoring data

  • Configurable data masking and opt-in policies

  • Audit-ready logs for legal defensibility

Take Action Now—The Clock Is Ticking

The ISO 27001:2022 compliance deadline is fast approaching, and many organizations still have blind spots when it comes to endpoint data protection.

This new DLP requirement isn’t optional, and it’s not theoretical. If you process, store, or transmit sensitive data, and especially if you’re in a regulated industry, you need to act now.

InnerActiv can help you:

  • Rapidly align with the new standard

  • Demonstrate audit readiness

  • Protect your most valuable data across every risk vector


Need help mapping your current capabilities to the new ISO requirement?
Contact us to schedule a consultation or see a demo of our solution in action.

read next
Risks

The Hidden Threat of Shadow AI: What You Can't See Will Hurt You

June 27, 2025

This isn't theoretical—it's happening right now. A marketing manager pastes customer feedback into ChatGPT to generate campaign ideas. An HR representative uploads resumes to an AI tool for initial screening. A finance analyst shares budget data with an AI assistant to create forecasts.

Learn More
Risks

Shadow IT: The Hidden Threat Lurking in Your Office

June 20, 2025

Welcome to Shadow IT—the parallel digital universe running alongside your official corporate infrastructure, completely invisible to the people whose job it is to keep your company secure.

Learn More
In the News

He Was Paid to Catch Insider Threats. Instead, He Became One

June 17, 2025

Laatsch wasn't some disgruntled contractor or overlooked temp worker. He was a 28-year-old IT specialist with the Defense Intelligence Agency, holding Top Secret clearance and working within the very division designed to prevent exactly what he was attempting: the Insider Threat Division.

Learn More
View All

Protect your organization today. Schedule a demo to see how InnerActiv transforms your endpoint security environment.

Schedule a Demo
Platform
Why InnerActiv
Contact
About
CareersInsights

Follow Us

Partner Login

©2025 - All rights reserved   |  Privacy Policy - Terms & Conditions