Antivirus

Antivirus is a primary software defence mechanism designed to prevent, detect, and remediate malicious software threats across organisational endpoints. The Primary Implementation Requirement necessitates deploying centrally managed real-time scanning tools to ensure the Business Benefit of protecting system integrity and preventing catastrophic data loss.

What is Antivirus?

A type of software used to prevent, detect, and remove malicious software. In the context of ISO 27001, antivirus is a key technical control used to protect against malware. It’s an essential part of an organisation’s overall strategy to maintain the confidentiality, integrity, and availability of information.

ISO 27001 Context

The ISO 27001 standard doesn’t specifically use the term antivirus, but it’s directly addressed under the control for Protection Against Malware (ISO 27001 Annex A 8.7 Protection Against Malware). This control requires a multi-layered approach to security that includes:

• Anti-malware software: This is where anti-virus fits in. It must be properly installed and kept up-to-date on all relevant devices.
• User awareness: Training employees to recognise and avoid malware threats.
• Controlled access: Restricting access to unauthorised websites and software to prevent malware from entering the network.
• Regular monitoring: Continuously scanning systems and reviewing logs to detect any signs of malware.

Best Practice

Relying solely on anti-virus software is not considered sufficient for compliance. ISO 27001 emphasises a defence in depth approach, where antivirus is just one of several integrated controls that work together to protect the organisation from evolving threats.

How to implement Antivirus

Implementing effective antivirus and malware protection is a fundamental requirement of ISO 27001 Annex A 8.7, designed to protect organisational information from malicious software. By following these ten structured steps, you will establish a robust technical defence that ensures endpoints remain secure, updates are managed systematically, and security events are logged for continuous monitoring and audit compliance.

1. Formalise the Malware Protection Policy

Document a clear policy within your Information Security Management System (ISMS) to establish the mandatory requirements for malware prevention. This provides the governance framework for all technical controls.

• Define roles and responsibilities for antivirus management.
• Establish the “Principle of Least Privilege” regarding software installation.
• Specify the requirement for real-time scanning across all organisational assets.

2. Map Endpoints to the Asset Register

Cross-reference your technical environment with the centralised Asset Register to ensure every device is accounted for. This identifies gaps in protection across mobile devices, servers, and workstations.

• Identify all endpoints that handle organisational data.
• Categorise assets based on risk and sensitivity.
• Verify that legacy systems are either decommissioned or isolated with compensatory controls.

3. Deploy Centralised Endpoint Protection

Provision a managed Endpoint Detection and Response (EDR) or antivirus solution to allow for uniform security enforcement. Centralised management ensures that no device operates in isolation from security oversight.

• Select a solution that supports remote deployment and telemetry.
• Ensure the management console is protected by Multi-Factor Authentication (MFA).
• Configure the agent to prevent unauthorised tampering or uninstallation by local users.

4. Configure Real-Time Scanning and Heuristics

Enable active protection features to ensure that files and processes are scanned upon access or execution. This result-driven configuration minimises the window of opportunity for zero-day threats.

• Activate heuristic analysis to detect suspicious behaviour patterns.
• Configure scanning for email attachments, web downloads, and removable media.
• Set the agent to automatically quarantine or block detected threats.

5. Automate Signature and Engine Updates

Establish automated update schedules to ensure that the malware protection engine and definitions are current. This maintains the effectiveness of the tool against the latest known threat vectors.

• Schedule updates to occur at least daily or upon release.
• Monitor the management console for “out-of-date” status alerts.
• Implement a fallback mechanism for devices that are offline for extended periods.

6. Restrict Local Administrative Privileges

Utilise Identity and Access Management (IAM) roles to prevent standard users from possessing administrative rights. This configuration drastically reduces the ability of malware to gain persistence on a system.

• Review all local administrator groups and remove unnecessary accounts.
• Ensure that administrative tasks require a separate, authenticated account.
• Audit privileged access logs to detect unauthorised privilege escalation attempts.

7. Integrate Detection Logs with SIEM

Provision log forwarding from your antivirus console to a Security Information and Event Management (SIEM) system. This ensures that security teams have a single source of truth for threat visibility.

• Configure alerts for critical malware detections and recurrent infections.
• Monitor for signs of lateral movement or mass-quarantine events.
• Ensure logs are retained in accordance with legal and regulatory requirements.
• Verify log integrity to prevent tampering by malicious actors.

8. Formalise Malware Incident Response

Develop a specific Rules of Engagement (ROE) document for handling malware outbreaks. A structured response reduces the potential impact of an infection on business operations.

• Define steps for isolating infected endpoints from the network.
• Establish a clear communication path for reporting incidents to the security lead.
• Document the process for forensic investigation and root cause analysis.

9. Deliver Targeted User Awareness Training

Educate staff on the risks of malware and the importance of antivirus compliance to strengthen the human firewall. This reduces the likelihood of successful social engineering or phishing attacks.

• Provide training on recognising suspicious emails and web links.
• Instruct users on the correct procedure for reporting antivirus alerts.
• Simulate phishing attacks to measure the effectiveness of the training.

10. Audit Antivirus Deployment and Status

Conduct regular audits of the entire antivirus ecosystem to verify that all controls are functioning as intended. This provides the necessary evidence for ISO 27001 certification bodies.

• Perform vulnerability scans to identify devices missing the security agent.
• Review exception lists to ensure they are still valid and authorised.
• Generate monthly compliance reports for the management review board.

Antivirus FAQ

About the author