Implementing ISO 27001 Annex A 8.7 is a fundamental security control that establishes robust Protection Against Malware across the organization’s IT estate. By deploying advanced Endpoint Detection and Response (EDR) systems and automating signature updates, businesses ensure operational resilience and effective defense against ransomware, trojans, and zero-day threats.
ISO 27001 Annex A Protection Against Malware Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 8.7. Modern malware protection requires a layered defence strategy that moves beyond legacy antivirus signatures to behavioural analysis and automated response.
1. Deploy Next-Generation Endpoint Detection (EDR)
Control Requirement: Protection against malware must be implemented across all information processing facilities.
Required Implementation Step: Uninstall legacy, signature-based antivirus solutions. Deploy a Next-Gen Endpoint Detection and Response (EDR) agent (e.g., Microsoft Defender for Endpoint, CrowdStrike, SentinelOne) to every server, workstation, and remote laptop to detect behavioural anomalies, not just known file hashes.
Minimum Requirement: 100% coverage; a single unprotected endpoint is a bridgehead for ransomware.
2. Automate Definition and Agent Updates
Control Requirement: Detection mechanisms must remain current.
Required Implementation Step: Configure the update policy to “Auto-Update” every 60 minutes for signatures and apply agent engine updates within 24 hours of release. Verify that offline clients are forced to update immediately upon network reconnection before accessing file shares.
Minimum Requirement: Signatures older than 24 hours render the protection obsolete.
3. Enable Real-Time (On-Access) Scanning
Control Requirement: Files must be scanned before execution.
Required Implementation Step: Hard-configure the EDR policy to enable “Real-Time Protection” or “On-Access Scanning”. Ensure that scanning applies to all file types (read and write), archive files (.zip, .rar), and network drives.
Minimum Requirement: Scheduled weekly scans are insufficient; protection must be instantaneous.
4. Restrict Local Administrative Privileges
Control Requirement: Prevent unauthorised software installation.
Required Implementation Step: Revoke “Local Administrator” rights from all standard user accounts via Group Policy (GPO) or Intune. If a user cannot install software, they cannot inadvertently install a Trojan disguised as a PDF converter.
Minimum Requirement: Zero standard users with install privileges.
5. Implement Attack Surface Reduction (ASR) Rules
Control Requirement: Block common malware delivery techniques.
Required Implementation Step: Enable ASR rules in the OS or security agent to “Block JavaScript or VBScript from launching downloaded executable content” and “Block all Office applications from creating child processes”. This kills the primary vector for macro-based malware.
Minimum Requirement: Macros must be disabled by default for documents originating from the internet.
6. Configure Web Content Filtering
Control Requirement: Prevent access to known malicious websites.
Required Implementation Step: Configure your DNS filter (e.g., Cisco Umbrella) or firewall to block access to “Malware”, “Phishing”, and “Command and Control (C2)” categories. This prevents a compromised machine from “phoning home” to the attacker.
Minimum Requirement: Blocking the download URL is as important as blocking the file itself.
7. Enforce Removable Media Scanning
Control Requirement: Prevent infection via physical drives.
Required Implementation Step: Configure the EDR policy to automatically mount and scan any USB drive immediately upon insertion. Alternatively, block the mounting of non-encrypted or unapproved USB storage entirely.
Minimum Requirement: “AutoRun” must be disabled on all endpoints.
8. Sandbox Email Attachments
Control Requirement: Filter malicious content in communication channels.
Required Implementation Step: Enable “Safe Attachments” or “Sandboxing” on your email gateway. This feature detonates attachments in a virtual environment to observe their behaviour before delivering the file to the user’s inbox.
Minimum Requirement: Block high-risk file extensions (.exe, .scr, .vbs, .js) at the gateway level.
9. Establish Malware Incident Response Procedures
Control Requirement: Procedures to recover from malware attacks.
Required Implementation Step: Define a specific “Runbook” for malware alerts: 1. Isolate the host from the network. 2. Capture memory dump for forensics. 3. Re-image the machine (do not attempt to “clean” it). 4. Reset user credentials.
Minimum Requirement: The immediate capability to remotely isolate an infected host.
10. Conduct Phishing and Awareness Simulation
Control Requirement: User awareness regarding malware risks.
Required Implementation Step: Run monthly simulated phishing campaigns using current malware hooks (e.g., “Urgent Invoice”). Users who click must be auto-enrolled in remedial training. Malware usually enters via a click, not a hack.
Minimum Requirement: Evidence of testing human sensors, not just software sensors.
ISO 27001 Annex A 8.7 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Endpoint Coverage | GRC tool asks: “Is Antivirus installed?” (Yes/No). | You clicked “Yes”, but the agent is disabled on 20% of laptops because users found it “slowed down their games”. |
| Update Frequency | “We have auto-updates enabled.” | The update server crashed 3 weeks ago. The dashboard is green, but the signatures are a month old. |
| User Privileges | “Users are told not to install software.” | Without technical restriction (removing Admin rights), users ignore the policy and install malware-laden “productivity tools”. |
| Email Filtering | “We use Office 365 default settings.” | Default settings often allow encrypted zip files through. Attackers hide malware inside password-protected zips to bypass the scanner. |
| Alerting | “We get email alerts.” | The alerts go to a “IT Support” mailbox that nobody checks on weekends. Ransomware hits at 2 AM Saturday. |
| Mac/Linux Security | “We don’t need AV on Macs/Linux.” | A myth. Macs get infected, and Linux servers are primary targets for cryptominers. Leaving them unprotected is negligent. |
| Incident Response | “We will restore from backup.” | The malware dwelled in the network for 60 days. Your backups are also infected. You restore the virus along with the data. |
DO IT YOURSELF ISO 27001
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
About the author
