In this ultimate how to audit guide to ISO 27001 Annex A 8.23 Web Filtering, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Annex A 8.23 Web Filtering Audit Checklist
- 1. Web Filtering Policy and Rulebase Formalisation Verified
- 2. Malicious Domain and IP Blocking Enforcement Confirmed
- 3. SSL/TLS Inspection for Web Traffic Validated
- 4. Unauthorised Cloud Storage and File Sharing Restriction Verified
- 5. Remote and Mobile Workforce Filtering Alignment Confirmed
- 6. Automated Threat Intelligence Feed Synchronisation Verified
- 7. Web Filtering Bypass and Proxy Restriction Validated
- 8. Exception Management and Authorisation Records Identified
- 9. Administrative Access and Rule Modification Monitoring Verified
- 10. Periodic Web Traffic Trend Review Recorded
- What is the difference between URL filtering and DNS filtering?
- Is SSL inspection required for ISO 27001 Annex A 8.23?
ISO 27001 Annex A 8.23 Web Filtering Audit Checklist
Auditing ISO 27001 Annex A 8.23 Web Filtering is the technical verification of content-based restrictions applied to outbound internet traffic. The Primary Implementation Requirement is the deployment of SSL inspection and automated malicious domain blocking, providing the Business Benefit of protecting users from web-borne malware and preventing unauthorised data exfiltration.
This technical verification tool is designed for lead auditors to establish the efficacy of controls restricting access to malicious or unauthorised external websites. Use this checklist to validate compliance with ISO 27001 Annex A 8.23.
1. Web Filtering Policy and Rulebase Formalisation Verified
Verification Criteria: A documented policy or technical standard exists defining the categories of websites to be blocked (e.g. malware, phishing, illegal content, or unauthorised file sharing).
Required Evidence: Approved Acceptable Use Policy (AUP) or Web Filtering Standard cross-referenced with the active category list in the filtering tool.
Pass/Fail Test: If the organisation lacks a formalised mandate defining which web categories are prohibited, mark as Non-Compliant.
2. Malicious Domain and IP Blocking Enforcement Confirmed
Verification Criteria: Technical controls are active to automatically block access to known malicious domains, C2 servers, and phishing URLs based on real-time threat intelligence.
Required Evidence: Configuration logs from the Secure Web Gateway (SWG) or DNS filter showing “High Risk” and “Malicious” categories set to ‘Block’.
Pass/Fail Test: If the filtering tool is configured to ‘Alert’ rather than ‘Block’ for confirmed malware or phishing categories, mark as Non-Compliant.
3. SSL/TLS Inspection for Web Traffic Validated
Verification Criteria: The organisation possesses the technical capability to decrypt and inspect encrypted web traffic (HTTPS) to detect hidden threats and enforce filtering rules.
Required Evidence: SSL Inspection certificates deployed to endpoints and logs showing decrypted URL paths in the web proxy or gateway.
Pass/Fail Test: If the organisation cannot inspect HTTPS traffic (covering over 95% of the web), rendering filtering rules blind to encrypted content, mark as Non-Compliant.
