The internet is the world’s biggest library, but it is also the world’s biggest minefield. For every useful research site or SaaS tool your employees need, there are a dozen others hosting malware, phishing kits, or illegal content. ISO 27001:2022 Annex A 8.23, “Web filtering,” is a new control introduced in the 2022 update to help organizations navigate this minefield safely.
Previously, web filtering was often considered an “HR issue” to stop staff from watching Netflix at their desks. Now, ISO 27001 explicitly recognises it as a critical security control. Its primary purpose is not just to police productivity, but to reduce exposure to malicious content that could compromise your systems.
Table of contents
What is the Objective of Annex A 8.23?
The objective is simple: manage access to external websites to protect your IT environment. By filtering web traffic, you prevent your users from accidentally stumbling upon compromised sites that could download malware, steal credentials, or expose the organisation to legal liability.
It acts as a safety net. Even if you have trained your staff to spot phishing emails (Annex A 5.36), someone will eventually click a bad link. Web filtering is the technical barrier that stops that link from loading.
Step-by-Step Implementation Guide
Implementing web filtering doesn’t mean turning the internet off. It means curating it. Here is a practical approach to meeting the requirements of Annex A 8.23 without hindering your team’s ability to work.
1. Define Your Rules (The Policy)
Before you buy any software, you need to decide what “safe” looks like for your business. This usually feeds into your Acceptable Use Policy. You need to categorise websites into three buckets:
- Allowed: Sites necessary for business (e.g., Office 365, LinkedIn, industry news).
- Blocked (Security): Sites known for malware, phishing, command-and-control botnets, and illegal content. These should be non-negotiable.
- Blocked (Policy): Sites that aren’t dangerous but are unwanted (e.g., gambling, adult content, or excessive streaming services).
2. Choose the Right Technology
How you implement this depends on your size. According to the experts at Hightable.io, small businesses might rely on the filtering built into their endpoint antivirus software or standard browser protections. Larger enterprises, however, usually need a centralised solution—such as a DNS filter (like Cisco Umbrella or Cloudflare) or a dedicated Secure Web Gateway (SWG).
The key is consistency. Your web filter should work whether the employee is sitting in the head office or working from a coffee shop on a laptop.
3. Handle Encryption (HTTPS)
Most of the web is now encrypted (HTTPS), which is great for privacy but tricky for filtering. Basic filters can only see the domain name (e.g., “facebook.com”), not the specific page. Advanced filters perform “SSL Inspection” to look inside the traffic, but this introduces privacy concerns and complexity.
For most ISO 27001 implementations, domain-level filtering is sufficient. You block the bad neighbourhoods of the internet so you don’t have to police every house.
4. The Exception Process
This is where many audits fail. You must have a process for when the filter gets it wrong. If a marketing manager needs to access a gambling site for market research, or if a legitimate business tool is wrongly categorised as “malware,” how do they get access?
You need a documented “Exception Process.” Users should be able to request access, and a specific person (like the IT Manager or CISO) should review and approve it based on risk. Keep a log of these exceptions—your auditor will want to see it.
DO IT YOURSELF
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
Common Challenges and Solutions
Over-Blocking: If you block too much, employees will find ways around it (like using personal phones or VPNs), creating “Shadow IT” risks. Solution: Start with a “lenient” policy that only blocks high-risk security threats. Monitor the logs for a few weeks to see what people are accessing before you start blocking productivity categories.
Remote Workers: A firewall in the office doesn’t help a remote worker. Solution: Use agent-based filtering that lives on the laptop, or cloud-based DNS filtering that protects the device regardless of which network it connects to.
A Quick Checklist for Annex A 8.23
To ensure you are compliant, verify these points:
- Do you have a policy stating which types of websites are prohibited?
- Is a web filtering tool active on all corporate devices?
- Are illegal and malicious sites blocked by default?
- Is there a documented process for users to request access to blocked sites?
- Do you review the filtering logs periodically to identify new threats or policy violations?
- Are staff trained on why these blocks exist (so they don’t try to bypass them)?
Why This Control Matters
Implementing Annex A 8.23 is one of the highest-value controls you can deploy. For a relatively low cost, it automatically neutralises a vast percentage of internet-based attacks. It shifts the burden of security from the user (who has to make a decision) to the system (which enforces the rule), making your organisation significantly more resilient.
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
