ISO 27001 Annex A 8.7 Protection Against Malware

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Protection Against Malware

I am going to show you what ISO 27001 Annex A 8.7 Protection Against Malware is, what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it.

I show you exactly what changed in the ISO 27001:2022 update and exactly what you need to do for ISO 27001 certification.

What is ISO 27001 Annex A 8.7?

ISO 27001 Annex A 8.7 Protection Against Malware is an ISO 27001 control that looks to make sure you understand malware in all its forms and take a holistic approach to protecting against it.


The purpose of ISO 27001 Annex A 8.7 Protection Against Malware is to ensure information and other associated assets are protected against malware.


The ISO 27001 standard defines ISO 27001 Annex A 8.7 as:

Protection against malware should be implemented and supported by appropriate user awareness.

ISO 27001:2022 Annex A 8.7 Protection Against Malware

Implementation Guide

With protection against malware we are looking a more holistic view than just having antivirus software. Of course antivirus software is a key component but that are a few other things that we need to consider.

Topic Specific Policy

You are going to either write or download a topic specific Protection Against Malware Policy.

For further guidance read: ISO 27001 Protection Against Malware Policy Ultimate Guide


As part of your information training you will implement training and awareness around malware. It will take the form of informing people of what it is, how to respond to it and general awareness on the ways that it can be introduced.

Antivirus Software

A top 3 all time cyber security recommendation. This is in the territory of a no brainer. I cannot think of a compelling reason not to have antivirus software installed and running.

Having antivirus software installed that automatically updates, automatically updates definition files, automatically scans and repairs and reports back should be in place.

Allowlisting Websites

Ideally access to potentially malicious or dangerous should be blocked or managed. The use of allowlisting should be considered and combined with both policy and training.


Additional tools that support the prevention of, and scanning for, malware in emails are to be considered and implemented where possible.

Business Continuity

Business continuity and the ability to recover from an event are an important part of the ISO 27001 standard and as fall back for a failure in this control. The usual rules on having a plan and testing the plan are in play here.

Threat Intelligence

With the introduction of ISO 27001 clause 5.7 threat intelligence having access to bulletins, news letters and sources of information on emerging malware threats should be incorporated into processes and risk planning so that you can have a process of continual improvement that will seek to mitigate those threats.

Technical vulnerability management

Solid technical vulnerability management is part of the standard and links to this control by removing services that are not needed, blocking those not needed that cannot be removed and having solid configuration and technical management practices in place.

ISO 27001 Templates

ISO 27001 templates have the advantage of being a massive boost that can save time and money so before we get into the implementation guide we consider these pre written templates that will sky rocket your implementation. This ISO 27001 Toolkit has been specifically designed so you can DIY your ISO 27001 certification, build your ISMS in a week and be ISO 27001 certification ready in 30 days.


All the templates, tools, support and knowledge you need to do it yourself.

ISO 27001 Toolkit Business Edition

How to pass an audit of

Time needed: 1 day

How to comply with ISO 27001 Annex A 8.7

  1. Have a topic specific Protection Against Malware Policy

    You will implement a topic specific policy that sets out what you do for the protection against malware.

  2. Assess your threats for malware and perform a risk assessment

    For each asset type perform a risk assessment. Based on the risk assessment implement the appropriate controls to mitigate the risk.

  3. Implement technical controls for the prevention of malware

    Based on risk and business need implement the technical controls to protect from malware such as antivirus software, email security software, anti phishing technologies, firewalls, patch management. Ensure logging and monitoring is in place.

  4. Implement process controls for the prevention of malware

    Implement training and communication. Ensure there is a program of awareness and education. Implement appropriate response plans that includes incident response, back up and recovery, disaster recovery.

  5. Keep records

    For audit purposes you will keep records. Examples of the records to keep include changes, updates, monitoring, review and audits.

  6. Test the controls that you have to make sure they are working

    Perform internal audits that include the testing of the controls to ensure that they are working.

Top 3 Mistakes People Make

The top 3 mistakes people make for ISO 27001 Annex A 8.7 are

1. Weak or no antivirus

A common mistake is having weak or no anti malware solution in place. There may be occasions where this is not possible and that is ok. You mange it with compensating controls and via risk management, but where it is possible it should be installed, operating and up to date.

2. You rely only on antivirus

Another common mistake for this control is only relying on antivirus or anti malware technology. The control is specific about the support via education and user awareness. Be sure to incorporate education and awareness into your plans and consider the other guidance provided above.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.


What is ISO 27001 Annex A 8.7?

ISO 27001 Annex A 8.7 is an ISO 27001 control that requires you to implement measures to protect against malware. This includes malware prevention, detection, and response.

Who is responsible for ISO 27001 Annex A 8.7?

IT is responsible to ISO 27001 Annex A 8.7

Who owns ISO 27001 Annex A 8.7?

Ownership of ISO 27001 Annex A 8.7 lies with the Head of IT

Who is accountable for ISO 27001 Annex A 8.7 ?

Accountability for ISO 27001 Annex A 8.7 lies with senior management and leadership.

What are example of common technical malware prevention controls?

Common examples for the protection against malware include:
Anti-virus software
Intrusion detection systems
Intrusion prevention systems
Host-based intrusion detection systems
Network-based intrusion detection systems
Log monitoring

What response controls are used in malware prevention?

When malware is identified there are several response controls and processes that you will need including:
Incident response plans
Disaster recovery plans
Business continuity plans
Backups and backup recovery plans

Is protection against malware just antivirus?

No protection against malware is not just about antivirus. Antivirus is a good, solid, basic control to have in place but the protection against malware goes further and includes education, communication and additional technical controls as well as response plans and reporting.

How can I get infected with malware?

There are a number of ways that you can get infected with malware including:
Opening infected emails
Clicking links to infected sites
Using infected external storage media devices
Opening attachments in emails
Visiting malicious websites

What protection can my organisation put in place to prevent malware?

Some good examples of things you can do to protect your organisation from malware include:
Educating employees about malware, how to avoid it and how to respond to it.
Deploying antivirus and anti-malware software on all computers and devices.
Keeping software up to date and having good patch management.
Using a firewall and intrusion detection system.
Implementing access control measures to restrict access to sensitive data.
Having a backup plan in place in case of a malware attack.

How hard is it to implement ISO 27001 Annex A 8.7?

It is not hard to implement ISO 27001 Annex A 8.7 protection against malware. This is a basic first line of defence.

How much will it cost to implement ISO 27001 Annex A 8.7?

The costs associated with implementing ISO 27001 Annex A 8.7 are not significant. The tools are readily accessible and the processes are well documented.

Do I need to implement ISO 27001 Annex A 8.7 Protection Against Malware?


ISO 27001 Controls and Attribute Values

Control typeInformation
security properties
Security domains
PreventiveAvailabilityProtectSystem and network SecurityProtection