Skip to main content
Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks Cloud Adoption Agent Azure migration & CAF delivery CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session Helpdesk & SLAs +353 1 578 9175 · response times by plan All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
technological Preventive Protect High Priority

A.8.12 Data Leakage Prevention

M365 Admin Path: Microsoft Purview > Information Protection > Labels | Microsoft 365 Defender > Incidents & Alerts

Evidence Source: Microsoft Graph - Purview DLP

What is A.8.12 Data Leakage Prevention?

ISO 27001 control A.8.12 Data Leakage Prevention detects and prevents unauthorised disclosure and extraction of information particularly concerning PII and other sensitive data classifications. The control replaces reliance on user behaviour and procedural controls with automated, technology-enforced enforcement across key data exfiltration channels including email, file sharing, removable media, and cloud applications implementing a Monitor-Warn-Block phased approach.

How to implement A.8.12 in Microsoft 365

Implement A.8.12 by establishing data classification via Microsoft

Implement A.8.12 by establishing data classification via Microsoft Purview Sensitivity Labels based on A.5.12 covering Public, Internal, Confidential, and Highly Confidential levels. Create DLP policies triggered by Sensitive Information Types or Sensitivity Labels.

Deploy location-specific policies for Exchange Online

Deploy location-specific policies for Exchange Online, SharePoint Online, OneDrive, Teams, Endpoints, and cloud applications. Start policies in Monitor mode to audit data flows without impacting users, then progress to Warn and Block after false positive tuning.

Configure Endpoint DLP via Defender for Endpoint integration

Configure Endpoint DLP via Defender for Endpoint integration to monitor and control sensitive file transfers to USB drives and unapproved cloud services.

What an auditor checks for A.8.12

  • Auditors will verify Information protection is configured via Sensitivity Labels or DLP-capable licensing.
  • They will check label taxonomy covers required classification levels.
  • Auditors will verify at least one DLP policy is deployed and enabled across M365 workloads.
  • They will check DLP policies follow Monitor-Warn-Block progression.
  • Auditors will verify DLP alerts are generated and actively reviewed with 80% or more moved from New status to In Progress or Resolved.
  • They will check evidence of policy tuning based on false positive analysis.

What your auditor expects for A.8.12

  • Evidence collection for sensitivity labels
  • information protection configuration

Evidence we surface for A.8.12

A.8.12 DLP evidence surfaces three views from Microsoft Purview Data Loss Prevention and Microsoft 365 Defender: the alert-status summary, the DLP-alerts inventory in raw form, and the alerts-by-severity breakdown from the Purview console. The triangulation lets an auditor see DLP is not just configured — it is generating actionable alerts, and those alerts are being triaged.

See how your organisation scores against A.8.12 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

Custom Sensitive Information Types Info Gov

Create custom SITs for organisation-specific data patterns

Endpoint DLP Info Gov

Data Loss Prevention for Windows endpoints

Exact Data Match Info Gov

EDM-based sensitive information types for precise data matching

Exchange DLP Info Gov

Data Loss Prevention policies for Exchange Online

SharePoint/OneDrive DLP Info Gov

Data Loss Prevention policies for SharePoint and OneDrive

Teams DLP Info Gov

Data Loss Prevention policies for Microsoft Teams

Trainable Classifiers Info Gov

Machine learning classifiers for content classification