In this ultimate how to implement guide to ISO 27001 Annex A 8.7 Protection Against Malware, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Protection Against Malware Implementation Checklist
- 1. Deploy Next-Generation Endpoint Detection (EDR)
- 2. Automate Definition and Agent Updates
- 3. Enable Real-Time (On-Access) Scanning
- 4. Restrict Local Administrative Privileges
- 5. Implement Attack Surface Reduction (ASR) Rules
- 6. Configure Web Content Filtering
- 7. Enforce Removable Media Scanning
- 8. Sandbox Email Attachments
- 9. Establish Malware Incident Response Procedures
- 10. Conduct Phishing and Awareness Simulation
- ISO 27001 Annex A 8.7 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 8.7 is a fundamental security control that establishes robust Protection Against Malware across the organization’s IT estate. By deploying advanced Endpoint Detection and Response (EDR) systems and automating signature updates, businesses ensure operational resilience and effective defense against ransomware, trojans, and zero-day threats.
ISO 27001 Protection Against Malware Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 8.7. Modern malware protection requires a layered defence strategy that moves beyond legacy antivirus signatures to behavioural analysis and automated response.
1. Deploy Next-Generation Endpoint Detection (EDR)
Control Requirement: Protection against malware must be implemented across all information processing facilities.
Required Implementation Step: Uninstall legacy, signature-based antivirus solutions. Deploy a Next-Gen Endpoint Detection and Response (EDR) agent (e.g., Microsoft Defender for Endpoint, CrowdStrike, SentinelOne) to every server, workstation, and remote laptop to detect behavioural anomalies, not just known file hashes.
Minimum Requirement: 100% coverage; a single unprotected endpoint is a bridgehead for ransomware.
2. Automate Definition and Agent Updates
Control Requirement: Detection mechanisms must remain current.
Required Implementation Step: Configure the update policy to “Auto-Update” every 60 minutes for signatures and apply agent engine updates within 24 hours of release. Verify that offline clients are forced to update immediately upon network reconnection before accessing file shares.
Minimum Requirement: Signatures older than 24 hours render the protection obsolete.
3. Enable Real-Time (On-Access) Scanning
Control Requirement: Files must be scanned before execution.
Required Implementation Step: Hard-configure the EDR policy to enable “Real-Time Protection” or “On-Access Scanning”. Ensure that scanning applies to all file types (read and write), archive files (.zip, .rar), and network drives.
Minimum Requirement: Scheduled weekly scans are insufficient; protection must be instantaneous.
