ISO 27001 Protection Against Malware
I am going to show you what ISO 27001 Annex A 8.7 Protection Against Malware is, what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it.
I show you exactly what changed in the ISO 27001:2022 update and exactly what you need to do for ISO 27001 certification.
Table of contents
What is ISO 27001 Annex A 8.7?
ISO 27001 Annex A 8.7 Protection Against Malware is an ISO 27001 control that looks to make sure you understand malware in all its forms and take a holistic approach to protecting against it.
Purpose
The purpose of ISO 27001 Annex A 8.7 Protection Against Malware is to ensure information and other associated assets are protected against malware.
Definition
The ISO 27001 standard defines ISO 27001 Annex A 8.7 as:
Protection against malware should be implemented and supported by appropriate user awareness.
ISO 27001:2022 Annex A 8.7 Protection Against Malware
Implementation Guide
With protection against malware we are looking a more holistic view than just having antivirus software. Of course antivirus software is a key component but that are a few other things that we need to consider.
Topic Specific Policy
You are going to either write or download a topic specific Protection Against Malware Policy.
For further guidance read: ISO 27001 Protection Against Malware Policy Ultimate Guide
Education
As part of your information training you will implement training and awareness around malware. It will take the form of informing people of what it is, how to respond to it and general awareness on the ways that it can be introduced.
Antivirus Software
A top 3 all time cyber security recommendation. This is in the territory of a no brainer. I cannot think of a compelling reason not to have antivirus software installed and running.
Having antivirus software installed that automatically updates, automatically updates definition files, automatically scans and repairs and reports back should be in place.
Allowlisting Websites
Ideally access to potentially malicious or dangerous should be blocked or managed. The use of allowlisting should be considered and combined with both policy and training.
Additional tools that support the prevention of, and scanning for, malware in emails are to be considered and implemented where possible.
Business Continuity
Business continuity and the ability to recover from an event are an important part of the ISO 27001 standard and as fall back for a failure in this control. The usual rules on having a plan and testing the plan are in play here.
Threat Intelligence
With the introduction of ISO 27001 clause 5.7 threat intelligence having access to bulletins, news letters and sources of information on emerging malware threats should be incorporated into processes and risk planning so that you can have a process of continual improvement that will seek to mitigate those threats.
Technical vulnerability management
Solid technical vulnerability management is part of the standard and links to this control by removing services that are not needed, blocking those not needed that cannot be removed and having solid configuration and technical management practices in place.
ISO 27001 Templates
ISO 27001 templates have the advantage of being a massive boost that can save time and money so before we get into the implementation guide we consider these pre written templates that will sky rocket your implementation. This ISO 27001 Toolkit has been specifically designed so you can DIY your ISO 27001 certification, build your ISMS in a week and be ISO 27001 certification ready in 30 days.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
How to pass an audit of
Time needed: 1 day
How to comply with ISO 27001 Annex A 8.7
- Have a topic specific Protection Against Malware Policy
You will implement a topic specific policy that sets out what you do for the protection against malware.
- Assess your threats for malware and perform a risk assessment
For each asset type perform a risk assessment. Based on the risk assessment implement the appropriate controls to mitigate the risk.
- Implement technical controls for the prevention of malware
Based on risk and business need implement the technical controls to protect from malware such as antivirus software, email security software, anti phishing technologies, firewalls, patch management. Ensure logging and monitoring is in place.
- Implement process controls for the prevention of malware
Implement training and communication. Ensure there is a program of awareness and education. Implement appropriate response plans that includes incident response, back up and recovery, disaster recovery.
- Keep records
For audit purposes you will keep records. Examples of the records to keep include changes, updates, monitoring, review and audits.
- Test the controls that you have to make sure they are working
Perform internal audits that include the testing of the controls to ensure that they are working.
Top 3 Mistakes People Make
The top 3 mistakes people make for ISO 27001 Annex A 8.7 are
1. Weak or no antivirus
A common mistake is having weak or no anti malware solution in place. There may be occasions where this is not possible and that is ok. You mange it with compensating controls and via risk management, but where it is possible it should be installed, operating and up to date.
2. You rely only on antivirus
Another common mistake for this control is only relying on antivirus or anti malware technology. The control is specific about the support via education and user awareness. Be sure to incorporate education and awareness into your plans and consider the other guidance provided above.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
FAQ
ISO 27001 Annex A 8.7 is an ISO 27001 control that requires you to implement measures to protect against malware. This includes malware prevention, detection, and response.
IT is responsible to ISO 27001 Annex A 8.7
Ownership of ISO 27001 Annex A 8.7 lies with the Head of IT
Accountability for ISO 27001 Annex A 8.7 lies with senior management and leadership.
Common examples for the protection against malware include:
Anti-virus software
Intrusion detection systems
Intrusion prevention systems
Host-based intrusion detection systems
Network-based intrusion detection systems
Log monitoring
When malware is identified there are several response controls and processes that you will need including:
Incident response plans
Disaster recovery plans
Business continuity plans
Backups and backup recovery plans
No protection against malware is not just about antivirus. Antivirus is a good, solid, basic control to have in place but the protection against malware goes further and includes education, communication and additional technical controls as well as response plans and reporting.
There are a number of ways that you can get infected with malware including:
Opening infected emails
Clicking links to infected sites
Using infected external storage media devices
Opening attachments in emails
Visiting malicious websites
Some good examples of things you can do to protect your organisation from malware include:
Educating employees about malware, how to avoid it and how to respond to it.
Deploying antivirus and anti-malware software on all computers and devices.
Keeping software up to date and having good patch management.
Using a firewall and intrusion detection system.
Implementing access control measures to restrict access to sensitive data.
Having a backup plan in place in case of a malware attack.
It is not hard to implement ISO 27001 Annex A 8.7 protection against malware. This is a basic first line of defence.
The costs associated with implementing ISO 27001 Annex A 8.7 are not significant. The tools are readily accessible and the processes are well documented.
Yes.
ISO 27001 Controls and Attribute Values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Availability | Protect | System and network Security | Protection |
| Detective | Integrity | Detect | Information_Protection | Defence |
| Corrective | Confidentiality |