Auditing ISO 27001 Annex A 8.7 Protection Against Malware is a technical verification of the organisation’s multi-layered defense against malicious code. The Primary Implementation Requirement is the enforcement of real-time detection and gateway filtering, ensuring the Business Benefit of preventing ransomware disruptions and sustained system integrity across the enterprise.
ISO 27001 Annex A 8.7 Protection Against Malware Audit Checklist
This technical verification tool is designed for lead auditors to establish the technical and operational resilience against malicious software. Use this checklist to validate compliance with ISO 27001 Annex A 8.7.
1. Anti-Malware Policy Formalisation Verified
Verification Criteria: A documented policy or technical standard exists defining the mandatory use of malware protection across all information processing assets.
Required Evidence: Approved “Endpoint Security Policy” or “Malware Protection Standard” citing specific scanning frequencies and remediation requirements.
Pass/Fail Test: If the organisation lacks a formalised mandate for malware protection across its fleet, mark as Non-Compliant.
2. Real-Time Protection Presence Confirmed
Verification Criteria: Endpoint Detection and Response (EDR) or Anti-Virus (AV) agents are active with real-time protection enabled on all managed endpoints.
Required Evidence: Centralised security console dashboard showing 100% “Real-Time Protection Active” status for all inventoried devices.
Pass/Fail Test: If a sampled endpoint shows real-time protection is disabled or can be deactivated by a standard user, mark as Non-Compliant.
3. Definition and Signature Update Integrity Validated
Verification Criteria: Malware definitions and heuristic engines are updated automatically within a defined window (typically 24-48 hours).
Required Evidence: AV/EDR console report showing “Out of Date” agent count is zero or within negligible operational tolerance.
Pass/Fail Test: If more than 5% of the fleet has not received a signature or engine update in the last 72 hours, mark as Non-Compliant.
4. Malware Scanning of Removable Media Confirmed
Verification Criteria: Technical controls automatically scan removable media (USB, External HDDs) immediately upon connection to a managed asset.
Required Evidence: Endpoint configuration settings showing “Scan Removable Media on Insertion” is toggled to ‘On’ and enforced via Policy.
Pass/Fail Test: If a standard USB drive can be mounted and files executed without a forced malware scan, mark as Non-Compliant.
5. Email and Web Gateway Filtering Validated
Verification Criteria: Malicious attachments and URLs are filtered and quarantined at the gateway level before reaching the end-user inbox.
Required Evidence: Configuration logs from the Email Security Gateway (e.g., Mimecast, Proofpoint) or Web Proxy (e.g., Zscaler) showing active malware sandboxing.
Pass/Fail Test: If the organisation relies solely on endpoint AV without gateway-level attachment sandboxing, mark as Non-Compliant.
6. Automated Alerting and Incident Linkage Verified
Verification Criteria: Detected malware events trigger an automated alert to the Security Operations Centre (SOC) or IT team for immediate investigation.
Required Evidence: Cross-reference between a “Malware Detected” alert in the security console and a corresponding entry in the Incident Management system.
Pass/Fail Test: If malware detections are cleared locally by the software without being escalated to a central security log for review, mark as Non-Compliant.
7. Administrative Privilege Restriction Confirmed
Verification Criteria: Standard users do not possess local administrative rights, preventing the manual installation of unauthorised software and inhibiting malware persistence.
Required Evidence: Local Administrator group membership report showing only authorised IT/System accounts.
Pass/Fail Test: If non-technical staff possess local admin rights on their primary workstation, mark as Non-Compliant.
8. Mobile Device Malware Protection Validated
Verification Criteria: Mobile devices (smartphones/tablets) accessing corporate data are subject to Mobile Threat Defence (MTD) or equivalent controls.
Required Evidence: Intune/MDM configuration reports showing active “Device Compliance” policies that check for jailbreaking or malware.
Pass/Fail Test: If personal or corporate mobile devices access production data without a “Healthy Device” check, mark as Non-Compliant.
9. Malware Awareness Training Completion Records Present
Verification Criteria: Personnel receive regular training on identifying common malware vectors, such as phishing and social engineering.
Required Evidence: Training logs showing >90% completion rates for modules specifically covering malware and ransomware awareness.
Pass/Fail Test: If the organisation has not provided malware-specific awareness training in the current audit cycle, mark as Non-Compliant.
10. Periodic Vulnerability Scanning Records Verified
Verification Criteria: Infrastructure is scanned for vulnerabilities that could be exploited to deliver or propagate malware.
Required Evidence: Recent vulnerability scan reports (e.g., Nessus, Qualys) showing remediation of “Critical” and “High” rated flaws.
Pass/Fail Test: If there is no evidence of a vulnerability scan being performed in the last 90 days, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Active Protection | Tool checks if “Defender/Sophos” is ‘Installed’ via API. | Verify the Service Status. An agent can be ‘Installed’ but in a ‘Stopped’ or ‘Tampered’ state that the GRC tool misses. |
| Update Frequency | Platform identifies that “Automatic Updates” is ‘On’. | Check the Stale List. GRC tools often ignore devices that haven’t ‘checked in’ recently but are still active in the field. |
| Email Filtering | SaaS tool marks ‘Compliant’ because a SaaS Email provider is used. | Demand the Configuration Policy. Standard ‘Spam’ filtering is not malware sandboxing; verify specific sandboxing triggers. |
| Removable Media | Tool assumes users don’t use USBs because of a ‘Policy’. | Perform a Live Test. Insert a non-malicious test file via USB; if the system allows execution without a scan, the control fails. |
| Mobile Security | Tool records “MDM is in use” for the fleet. | Check for Jailbreak Detection. GRC tools rarely verify if the MDM actually blocks access for compromised mobile handsets. |
| Incident Loop | Platform identifies that a ‘Malware Task’ was closed. | Verify Root Cause. If the task was closed without identifying how the malware entered, the control loop is broken. |
| Vulnerability Scans | Tool shows a “Scan Task” marked as ‘Done’. | Review the Remediation Report. A ‘Done’ task means a scan happened; it doesn’t mean the critical flaws were actually patched. |
About the author
