ISO 27001 Annex A 8.7 Protection Against Malware Guide & Policy

ISO 27001 Protection Against Malware

ISO 27001 Annex A 8.7 is about protection against malware which means you must install antivirus software and train people to raise user awareness.

ISO 27001 Protection Against Malware
What is ISO 27001 Annex A 8.7?
ISO 27001 Annex A 8.7 Mind Map
ISO 27001 Annex A 8.7 Video Tutorial
How to implement ISO 27001 Annex A 8.7
Accelerate Annex A 8.7 Implementation with Pre-Written Templates
How to pass the audit of ISO 27001 Annex A 8.7
Top 3 Mistakes Implementing ISO 27001 Malware Protection
Summary: Your ISO 27001 Annex A 8.7 Implementation Roadmap
ISO 27001 Annex A 8.7 FAQ
Related ISO 27001 Controls
Further Reading
ISO 27001 Controls and Attribute Values

What is ISO 27001 Annex A 8.7?

ISO 27001 Annex A 8.7 Protection Against Malware is an ISO 27001 control that looks to make sure you understand malware in all its forms and take a holistic approach to protecting against it.

ISO 27001 Annex A 8.7 Purpose

The purpose of ISO 27001 Annex A 8.7 Protection Against Malware is to ensure information and other associated assets are protected against malware.

ISO 27001 Annex A 8.7 Definition

The ISO 27001 standard defines ISO 27001 Annex A 8.7 as:

Protection against malware should be implemented and supported by appropriate user awareness.
ISO 27001:2022 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.7 Mind Map

Navigating the requirements of ISO 27001 Annex A 8.7 goes beyond simply installing antivirus software; it requires a holistic approach that links policy, technical controls, and human behaviour. To help you visualise the complete compliance landscape, the mind map below breaks down the control into five actionable pillars, ranging from the initial scope definition to the ongoing audit process.

ISO 27001 Annex A 8.7 Video Tutorial

In the video ISO 27001 Protection Against Malware Explained – ISO27001:2022 Annex A 8.7 I show you how to implement it and how to pass the audit. Watch a step-by-step guide to implementing malware protection controls.

How to implement ISO 27001 Annex A 8.7

With protection against malware we are looking a more holistic view than just having antivirus software. Of course antivirus software is a key component but that are a few other things that we need to consider.

Implementing malware protection requires a multi-layered approach. The graphic below outlines the critical path from policy to technical controls.

ISO 27001 Annex A 8.7 Infographic showing the 3 stages of implementing ISO 27001 malware protection. — ISO 27001 Annex A 8.7 Infographic

Developing a Protection Against Malware Policy

You are going to either write or download a topic specific Protection Against Malware Policy.

For further guidance read: ISO 27001 Protection Against Malware Policy Ultimate Guide

Malware Awareness Training & Education

As part of your information training you will implement training and awareness around malware. It will take the form of informing people of what it is, how to respond to it and general awareness on the ways that it can be introduced.

Endpoint Protection & Antivirus Software

A top 3 all time cyber security recommendation. This is in the territory of a no brainer. I cannot think of a compelling reason not to have antivirus software installed and running.

Having antivirus software installed that automatically updates, automatically updates definition files, automatically scans and repairs and reports back should be in place.

Blocking Malicious Websites & Drive-by Downloads

Ideally access to potentially malicious or dangerous should be blocked or managed. The use of allowlisting should be considered and combined with both policy and training.

Email Security & Attachment Scanning

Additional tools that support the prevention of, and scanning for, malware in emails are to be considered and implemented where possible.

Malware Recovery & Business Continuity Plans

Business continuity and the ability to recover from an event are an important part of the ISO 27001 standard and as fall back for a failure in this control. The usual rules on having a plan and testing the plan are in play here.

Integrating Threat Intelligence with Malware Protection

With the introduction of ISO 27001 clause 5.7 threat intelligence having access to bulletins, news letters and sources of information on emerging malware threats should be incorporated into processes and risk planning so that you can have a process of continual improvement that will seek to mitigate those threats.

Preventing Malware via Technical Vulnerability Management.

Solid technical vulnerability management is part of the standard and links to this control by removing services that are not needed, blocking those not needed that cannot be removed and having solid configuration and technical management practices in place.

Accelerate Annex A 8.7 Implementation with Pre-Written Templates

Implementing ISO 27001 Annex A 8.7 requires more than just installing antivirus software; it demands a documented framework that proves to an auditor you are managing malware risks effectively. Starting these documents from a blank page is time-consuming and leaves room for error.

The ISO 27001 Toolkit bridges the gap between technical controls and compliance documentation. It provides you with a pre-written, auditor-approved Protection Against Malware Policy that you can customise in minutes.

How the Toolkit helps you meet Annex A 8.7:

Instant Policy: Includes a topic-specific policy covering email scanning, removable media, and user responsibilities, saving you days of drafting time.
Risk Assessment Integration: Provides the templates to document malware threats and link them to your technical controls (like EDR and patching).
Audit Readiness: Ensures your documentation aligns perfectly with the ISO 27001:2022 standard, eliminating the risk of non-conformities during your certification audit.

Stop guessing what the auditor wants to see. Download the templates, fill in the blanks, and move on to the next control.

ISO 27001 Compliance: 100% Guaranteed

Do it Yourself ISO 27001

with live expert support.

The Ultimate ISO 27001 Toolkit

How to pass the audit of ISO 27001 Annex A 8.7

To pass the audit for Annex A 8.7, you must demonstrate to the auditor that your malware controls are not just installed, but active, managed, and effective. Use this checklist to prepare your evidence:

1. Present the Topic-Specific Policy

Action: Show the auditor your Protection Against Malware Policy.
Key Requirement: Ensure the policy explicitly covers preventative measures, detective controls, and user awareness.

2. Show Evidence of Risk-Based Decisions

Action: Walk the auditor through your risk assessment.
Key Requirement: Explain why you chose specific tools (e.g., EDR vs. basic Antivirus) based on the specific risks to your assets.

3. Demonstrate Technical Implementation (The “Live” Test)

Action: Open your antivirus/EDR management console during the audit.
Key Requirement: Show the dashboard proving 100% of endpoints are “Healthy” and “Up to Date.”
Crucial: Be ready to explain any “red” or “offline” devices immediately.

4. Validate User Awareness Training

Action: Provide training records.
Key Requirement: Show a sample of employee completion certificates specifically for malware or phishing awareness modules.

5. Prove Incident Response Capabilities

Action: Show a log of a past malware event (even a blocked file).
Key Requirement: Demonstrate that the system alerted you, you investigated it, and the “Ticket” was closed.

Top 3 Mistakes Implementing ISO 27001 Malware Protection

The top 3 mistakes people make for ISO 27001 Annex A 8.7 are

1. Weak or no antivirus

A common mistake is having weak or no anti malware solution in place. There may be occasions where this is not possible and that is ok. You mange it with compensating controls and via risk management, but where it is possible it should be installed, operating and up to date.

2. You rely only on antivirus

Another common mistake for this control is only relying on antivirus or anti malware technology. The control is specific about the support via education and user awareness. Be sure to incorporate education and awareness into your plans and consider the other guidance provided above.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Summary: Your ISO 27001 Annex A 8.7 Implementation Roadmap

Implementing protection against malware is a continuous cycle of prevention, detection, and response. Use the infographic below as a quick-reference guide or “Cheat Sheet” to ensure you have covered all the essential layers of defence required for your audit.

ISO 27001 Annex A 8.7 FAQ

Is antivirus software mandatory for ISO 27001 Annex A 8.7?

Yes, but antivirus alone is rarely sufficient. While the standard does not name specific brands, it requires technical controls that prevent and detect malicious software. In practice, an auditor will expect to see Endpoint Detection and Response (EDR) or active antivirus software installed on all applicable devices, along with evidence that it is automatically updated and cannot be disabled by unauthorised users.

Who is responsible for malware protection in ISO 27001?

The responsibility typically sits with the IT Manager or CISO, but it is a shared organisational duty.
IT/Security Team: Responsible for selecting, installing, and managing technical tools (antivirus, firewalls, patching).
Senior Management: Accountable for approving the Malware Protection Policy and ensuring resources are available.
All Employees: Responsible for following policy (e.g., not plugging in unknown USB drives) and reporting suspected incidents.

What evidence does an auditor need for Annex A 8.7?

Auditors will look for a combination of policy documentation and technical logs. Common evidence includes:
A formal Protection Against Malware Policy.
Centralised Dashboards showing 100% of devices have active antivirus protection.
Update Logs proving signatures/definitions are current.
Incident Records showing how past malware alerts were investigated and resolved.
Training Records showing staff have completed malware awareness modules.

Does ISO 27001 Annex A 8.7 apply to MacOS and Linux devices?

Yes, ISO 27001 is platform-agnostic. While Windows is historically more targeted, Annex A 8.7 requires you to assess the risk for all systems. If you determine that Macs or Linux servers have a lower risk, you must document this in your Risk Assessment, but completely excluding them from malware controls is often viewed as a major non-conformity by auditors in 2024.

How does Annex A 8.7 relate to “Shadow IT”?

Annex A 8.7 requires you to control software installation to prevent malware. This directly combats Shadow IT (unauthorised software). You must implement controls that restrict users from installing unapproved applications (using Administrative privileges or Allowlisting), as these are common entry points for malware.

What is the difference between Annex A 8.7 and A.8.8 (Vulnerability Management)?

Annex A 8.7 focuses on active threats (viruses/malware), while A.8.8 focuses on system flaws (bugs).
Control 8.7 (Malware): Stopping a virus from running on your laptop (e.g., Antivirus).
Control 8.8 (Vulnerabilities): Fixing a bug in Windows that could let a virus in (e.g., Patching).
Ideally: You need both. Patching (8.8) closes the doors; Antivirus (8.7) catches the burglars who sneak in.

Can we use free antivirus software for ISO 27001 certification?

Technically yes, but it is risky. Free versions often lack the centralised management and logging required for an audit. If an auditor asks, “Show me that all 50 laptops were updated yesterday,” and you have to check each laptop manually, you may fail the audit. Enterprise-grade tools with a central dashboard are strongly recommended for compliance.

What are example of common technical malware prevention controls?

Common examples for the protection against malware include:
Anti-virus software
Intrusion detection systems
Intrusion prevention systems
Host-based intrusion detection systems
Network-based intrusion detection systems
Log monitoring

What response controls are used in malware prevention?

When malware is identified there are several response controls and processes that you will need including:
Incident response plans
Disaster recovery plans
Business continuity plans
Backups and backup recovery plans

Is protection against malware just antivirus?

No protection against malware is not just about antivirus. Antivirus is a good, solid, basic control to have in place but the protection against malware goes further and includes education, communication and additional technical controls as well as response plans and reporting.

How can I get infected with malware?

There are a number of ways that you can get infected with malware including:
Opening infected emails
Clicking links to infected sites
Using infected external storage media devices
Opening attachments in emails
Visiting malicious websites

What protection can my organisation put in place to prevent malware?

Some good examples of things you can do to protect your organisation from malware include:
Educating employees about malware, how to avoid it and how to respond to it.
Deploying antivirus and anti-malware software on all computers and devices.
Keeping software up to date and having good patch management.
Using a firewall and intrusion detection system.
Implementing access control measures to restrict access to sensitive data.
Having a backup plan in place in case of a malware attack.

ISO 27001 Annex A 6.3 Information Security Awareness Education and Training

ISO 27001 Controls and Attribute Values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Availability	Protect	System and network Security	Protection
Detective	Integrity	Detect	Information_Protection	Defence
Corrective	Confidentiality

Availability, Confidentiality, Corrective, Defence, Detect, Detective, Information Protection, Integrity, Preventive, Protect, Protection, System and Network Security

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001 Annex A 8.7 Protection Against Malware