In the digital age, malware is the wolf constantly circling the door. From ransomware that locks up your entire business to spyware that silently siphons off sensitive data, the threat is real, constant, and evolving. If you are pursuing ISO 27001 certification, you can’t just install a free antivirus and call it a day.
ISO 27001:2022 Annex A 8.7 is the control dedicated to “Protection against malware.” It demands a structured, multi-layered approach to preventing, detecting, and recovering from malicious software. Let’s break down exactly how to implement this control effectively.
Table of contents
What is Annex A 8.7?
The control requires that “protection against malware is implemented and supported by appropriate user awareness.” It falls under the Technological Controls category, but as the definition suggests, it is as much about people as it is about software.
The goal isn’t just to block viruses. It is to create a resilient environment where malware struggles to enter, struggles to execute, and is quickly contained if it does manage to slip through.
Step 1: Adopt a “Defence in Depth” Strategy
One lock on the front door isn’t enough. You need a gate, a lock, a security camera, and a guard dog. In cybersecurity, this is called Defence in Depth.
To satisfy Annex A 8.7, you should implement controls at multiple layers:
- Perimeter: Block threats before they reach you using Firewalls and Email Filtering.
- Network: Segment your network so infection in one area can’t easily spread to another (e.g., Guest Wi-Fi shouldn’t touch your Finance server).
- Endpoint: This is your final line of defence. Every laptop, server, and mobile device needs protection.
Step 2: Deploy Endpoint Protection (The “Must-Have”)
This is the most obvious step, but often the most poorly managed. You need to deploy anti-malware software across all supported devices.
Modern standards have moved beyond simple “Antivirus” (AV) to Endpoint Detection and Response (EDR). Unlike traditional AV, which looks for known “bad files,” EDR looks for “bad behaviour.” If a calculator app suddenly tries to connect to the internet and download a file, EDR will stop it, even if it doesn’t recognise the file signature.
Auditor Tip: It is not enough to just have the software installed. You must prove it is active and updated. During your audit, be prepared to open your management dashboard and show that 100% of your agents checked in within the last 24 hours.
Step 3: Secure Your Entry Points
Malware doesn’t appear by magic; it is usually invited in. You need to lock down the common entry vectors.
Email Scanning
Phishing is the #1 delivery method for ransomware. Configure your email provider (like Microsoft 365 or Google Workspace) to scan attachments and links. Use features like “Safe Links” to check URLs at the time of the click.
Web Filtering
Prevent users from accidentally stumbling into the bad parts of the internet. Use DNS filtering or web proxies (Annex A 8.23) to block access to known malicious domains and “parked” websites.
Removable Media
USB drives are efficient carriers of malware. Consider disabling USB storage access for most users or forcing a scan of any drive upon connection.
Step 4: The Human Firewall (User Awareness)
You can spend millions on technology, but if Dave in Accounts clicks “Enable Macros” on an invoice from an unknown sender, you are in trouble. Annex A 8.7 explicitly mentions “appropriate user awareness.”
You must train your staff to:
- Recognise phishing emails.
- Understand the risks of downloading unapproved software (Shadow IT).
- Know exactly who to call if their computer starts acting strangely.
Step 5: Define Your Policy
To tie this all together, you need a Malware Protection Policy. This document acts as the rulebook for your organisation.
It should cover:
- Prohibitions: Explicitly ban the disabling of antivirus software by users.
- Software Installation: State that only approved software (Allow-listing) may be installed.
- Scanning Schedules: Define how often full system scans occur (e.g., weekly).
- Reporting: The procedure for reporting a suspected infection.
If you need a head start, Hightable.io offers comprehensive ISO 27001 toolkits that include a pre-written “Protection Against Malware Policy” that addresses these specific requirements, saving you hours of drafting time.
Step 6: Prepare for the Worst (Recovery)
What happens if the malware wins? Compliance requires you to have a plan for recovery. This links heavily with Annex A 8.13 (Information Backup).
Ensure your backups are immutable (cannot be changed or deleted). Modern ransomware targets backups specifically to prevent recovery. If your backups are on a drive connected to the infected server, they will be encrypted too. Keep an offline or segregated copy of your data.
Common Mistakes to Avoid
- Ignoring Macs and Linux: “Macs don’t get viruses” is a dangerous myth. They absolutely do, and they need protection too.
- Shadow IT: Allowing users to install whatever they want is a recipe for disaster. Remove Local Admin rights from standard users to prevent unauthorised installations.
- Alert Fatigue: If your EDR sends 1,000 emails a day about “cookies,” you will miss the one email about a Trojan. Tune your alerts so you only see what matters.
Conclusion
Implementing ISO 27001 Annex A 8.7 is about building a fortress. It combines smart technology (EDR, Web Filtering) with smart people (Awareness Training) and robust processes (Policy and Backup). By taking a layered approach, you ensure that even if one control fails, another is there to catch the threat.
