In this ultimate how to audit guide to ISO 27001 Annex A 8.7 Protection Against Malware, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Annex A 8.7 Protection Against Malware Audit Checklist
- 1. Anti-Malware Policy Formalisation Verified
- 2. Real-Time Protection Presence Confirmed
- 3. Definition and Signature Update Integrity Validated
- 4. Malware Scanning of Removable Media Confirmed
- 5. Email and Web Gateway Filtering Validated
- 6. Automated Alerting and Incident Linkage Verified
- 7. Administrative Privilege Restriction Confirmed
- 8. Mobile Device Malware Protection Validated
- 9. Malware Awareness Training Completion Records Present
- 10. Periodic Vulnerability Scanning Records Verified
ISO 27001 Annex A 8.7 Protection Against Malware Audit Checklist
Auditing ISO 27001 Annex A 8.7 Protection Against Malware is a technical verification of the organisation’s multi-layered defense against malicious code. The Primary Implementation Requirement is the enforcement of real-time detection and gateway filtering, ensuring the Business Benefit of preventing ransomware disruptions and sustained system integrity across the enterprise.
This technical verification tool is designed for lead auditors to establish the technical and operational resilience against malicious software. Use this checklist to validate compliance with ISO 27001 Annex A 8.7.
1. Anti-Malware Policy Formalisation Verified
Verification Criteria: A documented policy or technical standard exists defining the mandatory use of malware protection across all information processing assets.
Required Evidence: Approved “Endpoint Security Policy” or “Malware Protection Standard” citing specific scanning frequencies and remediation requirements.
Pass/Fail Test: If the organisation lacks a formalised mandate for malware protection across its fleet, mark as Non-Compliant.
2. Real-Time Protection Presence Confirmed
Verification Criteria: Endpoint Detection and Response (EDR) or Anti-Virus (AV) agents are active with real-time protection enabled on all managed endpoints.
Required Evidence: Centralised security console dashboard showing 100% “Real-Time Protection Active” status for all inventoried devices.
Pass/Fail Test: If a sampled endpoint shows real-time protection is disabled or can be deactivated by a standard user, mark as Non-Compliant.
3. Definition and Signature Update Integrity Validated
Verification Criteria: Malware definitions and heuristic engines are updated automatically within a defined window (typically 24-48 hours).
Required Evidence: AV/EDR console report showing “Out of Date” agent count is zero or within negligible operational tolerance.
Pass/Fail Test: If more than 5% of the fleet has not received a signature or engine update in the last 72 hours, mark as Non-Compliant.
