ISO 27001 Compliance
Note: ISO 27001 policy framework requires Enterprise Edition.
The ISO 27001:2022 policy framework implements information security management controls with a focus on data leakage prevention.
Overview
ISO 27001:2022 is the international standard for information security management. Aquilon DLP’s ISO 27001 policy implements key controls:
- A.8.12: Data leakage prevention (NEW in 2022 revision)
- A.5.12: Classification of information
- A.8.11: Data masking
Note: Control A.8.12 explicitly mandates DLP capabilities, making this a core requirement for ISO 27001:2022 certification.
Data Classification Levels
The ISO 27001 policy uses a four-level classification system:
| Level | Description | Examples | Severity |
|---|---|---|---|
| Restricted | Highest sensitivity | Cryptographic keys, master passwords | Critical |
| Confidential | Business-critical | Financial data, PII, trade secrets | High |
| Internal | Internal use only | Employee data, internal policies | Medium |
| Public | No restrictions | Marketing materials, public docs | Low |
Scanner Classifications
All 50+ scanners are automatically classified:
Restricted (Critical)
private_key,api_key,jwt,aws_access_keycredit_card,cvvssn(in certain contexts)
Confidential (High)
ssn,passport,drivers_licensebank_account,ibanhealth_record,medical_record_number
Internal (Medium)
email,phone,addressdate_of_birthemployee_id
Public (Low)
- Generic patterns without sensitive details
Global PII Coverage
ISO 27001 is an international standard. Organizations operating across multiple jurisdictions need comprehensive national ID detection. Aquilon DLP includes 28 country-specific national ID scanners with checksum validation.
Europe (14 scanners)
| Country | Scanner | Format | Validation |
|---|---|---|---|
| France | france_nir | 15 digits (NIR) | Mod 97 |
| Germany | germany_steurid | 11 digits (Steuer-ID) | Format rules |
| Italy | italy_cf | 16 chars (Codice Fiscale) | Mod 26 |
| Spain | spain_dni | 8-9 chars (DNI/NIE) | Mod 23 |
| Poland | poland_pesel | 11 digits (PESEL) | Weighted mod 10 |
| Netherlands | netherlands_bsn | 9 digits (BSN) | 11-proof |
| Belgium | belgium_nrn | 11 digits (NRN) | Mod 97 |
| UK | uk_nino | 9 chars (NINO) | Format rules |
| Sweden | sweden_personnummer | 10-12 digits | Luhn |
| Norway | norway_fodselsnummer | 11 digits | Dual mod-11 |
| Finland | finland_hetu | 11 chars (HETU) | Mod 31 |
| Portugal | portugal_nif | 9 digits (NIF) | Weighted mod 11 |
| Romania | romania_cnp | 13 digits (CNP) | Weighted mod 11 |
| Czech/Slovakia | czech_rodne_cislo | 9-10 digits | Mod 11 |
Americas (4 scanners)
| Country | Scanner | Format | Validation |
|---|---|---|---|
| Brazil | brazil_cpf | 11 digits (CPF) | Dual mod 11 |
| Canada | canada_sin | 9 digits (SIN) | Luhn |
| Chile | chile_rut | 8-9 chars (RUT) | Mod 11 |
| Argentina | argentina_cuit | 11 digits (CUIT/CUIL) | Weighted mod 11 |
Asia-Pacific (8 scanners)
| Country | Scanner | Format | Validation |
|---|---|---|---|
| Australia | australia_tfn | 9 digits (TFN) | Weighted mod 11 |
| India | india_aadhaar | 12 digits (Aadhaar) | Verhoeff |
| India | india_pan | 10 chars (PAN) | Format rules |
| South Korea | south_korea_rrn | 13 digits (RRN) | Weighted mod 11 |
| Japan | japan_my_number | 12 digits | Government checksum |
| China | china_resident_id | 18 chars | ISO 7064 MOD 11-2 |
| Taiwan | taiwan_national_id | 10 chars | Weighted mod 10 |
| New Zealand | new_zealand_ird | 8-9 digits (IRD) | Mod 11 |
Middle East & Africa (2 scanners)
| Country | Scanner | Format | Validation |
|---|---|---|---|
| Israel | israel_teudat_zehut | 9 digits | Luhn variant |
| Turkey | turkey_tc_kimlik | 11 digits (TC Kimlik) | Two-step checksum |
Note: All national ID scanners use country-specific context keywords to increase detection confidence and reduce false positives.
See Policy Frameworks for detailed scanner documentation.
Configuration
Basic Configuration
[policies]
enabled_policies = ["iso27001"]
Advanced Configuration
[policies.policy_configs.iso27001]
settings = { confidence_threshold = "0.7", enforce_data_masking = "true", classification_level = "confidential" }
Configuration Options
| Option | Description | Default |
|---|---|---|
confidence_threshold | Minimum scanner confidence | 0.7 |
enforce_data_masking | Require data masking in output | false |
classification_level | Default classification level | confidential |
control_a812_strict | Strict A.8.12 enforcement | true |
Control Implementation
Control A.8.12 - Data Leakage Prevention
Aquilon DLP directly implements A.8.12 by:
- Monitoring data at rest: Scans file systems for sensitive data
- Classification: Automatically classifies detected data
- Alerting: Generates violations for inappropriate storage
- Reporting: Provides audit trails for compliance
Control A.5.12 - Classification of Information
Each finding includes classification metadata:
{
"classification_level": "confidential",
"classification_reason": "Contains SSN (direct identifier)",
"handling_requirements": ["encryption_at_rest", "access_logging"]
}
Control A.8.11 - Data Masking
When enforce_data_masking is enabled, detected values are masked:
Original: 122-45-6789
Masked: ***-**-6789
Violation Metadata
Each ISO 27001 violation includes:
{
"policy": "ISO27001",
"severity": "high",
"classification": "confidential",
"iso_control": "A.8.12",
"control_name": "Data leakage prevention",
"handling_requirements": [
"encrypt_at_rest",
"restrict_access",
"audit_logging"
]
}
Compliance Reporting
Query by Classification Level
-- All restricted data exposures (immediate action)
SELECT path, scanner, timestamp
FROM aquilon_dlp_alerts
WHERE policy = 'ISO27001'
AND severity = 'critical';
-- Classification distribution
SELECT severity as classification, COUNT(*) as count
FROM aquilon_dlp_alerts
WHERE policy = 'ISO27001'
GROUP BY severity
ORDER BY count DESC;
-- Control A.8.12 compliance status
SELECT
date(timestamp) as date,
COUNT(*) as findings
FROM aquilon_dlp_alerts
WHERE policy = 'ISO27001'
GROUP BY date
ORDER BY date DESC
LIMIT 30;
Certification Audit Support
Generate reports for ISO 27001 auditors:
-- Data leakage prevention evidence (Control A.8.12)
SELECT
'Files with Findings' as metric,
(SELECT COUNT(DISTINCT path) FROM aquilon_dlp_alerts WHERE policy = 'ISO27001') as value
UNION ALL
SELECT
'Total Findings',
(SELECT COUNT(*) FROM aquilon_dlp_alerts WHERE policy = 'ISO27001')
UNION ALL
SELECT
'Critical Findings',
(SELECT COUNT(*) FROM aquilon_dlp_alerts
WHERE policy = 'ISO27001' AND severity = 'critical');
Best Practices
Monitoring Strategy
- Immediate alert: Restricted classification findings
- Daily review: Confidential data exposures
- Weekly audit: Internal data, classification accuracy
Information Security Management System (ISMS)
Use Aquilon DLP findings to support ISMS:
- Risk Assessment: Identify data exposure risks
- Risk Treatment: Implement controls based on classification
- Monitoring: Continuous compliance monitoring
- Improvement: Refine policies based on findings
Statement of Applicability (SoA)
Document control implementation:
| Control | Implementation | Aquilon DLP Support |
|---|---|---|
| A.8.12 | DLP monitoring | Primary implementation |
| A.5.12 | Classification | Automatic classification |
| A.8.11 | Data masking | Optional enforcement |
Certification Support
Pre-Audit Checklist
- ISO 27001 policy enabled and configured
- All data locations included in watch_paths
- Classification levels match organization’s scheme
- Historical findings retained for audit period
- Remediation process documented
Evidence Collection
Collect evidence for auditors:
-- Export findings for audit period
SELECT * FROM aquilon_dlp_alerts
WHERE policy = 'ISO27001'
AND timestamp BETWEEN '2024-01-01' AND '2024-12-31'
ORDER BY timestamp;