Virus protection is a critical technical requirement under ISO 27001 Control 8.7 designed to safeguard digital infrastructure. The provision of Endpoint Detection and Response is the primary implementation requirement, delivering the business benefit of 100% operational uptime and citable data integrity against malicious code replication.
What is a virus?
A virus is a tiny, harmful program that can copy itself and spread to other files and computers. It needs a host program to live and can’t work on its own. A virus can change or delete your data, slow down your computer, or even make it unusable. It often spreads when you open an infected email attachment or download something from a shady website.
Examples
- Melissa: This was a macro virus that spread through email. When you opened an infected Word document, it would email itself to the first 50 people in your address book.
- Stuxnet: A complex virus designed to target specific industrial systems. It was used to disrupt Iran’s nuclear program.
- ILOVEYOU: A highly destructive virus that came as an email attachment. When opened, it would overwrite files and send itself to everyone in the user’s contact list.
Context
Viruses are a type of malware, which is a general term for any software designed to harm computers. While often used interchangeably, viruses are different from other malware like worms (which can spread on their own without a host program) and trojans (which pretend to be useful software but hide a malicious purpose).
ISO 27001 doesn’t have a specific control titled “ISO 27001 Virus.” However, it does address malicious code, including viruses, through several controls aimed at preventing, detecting, and mitigating their impact.
How to implement Virus
Implementing a comprehensive defence against computer viruses is a fundamental technical requirement under ISO 27001:2022 Control 8.7. This process involves the deployment of multi-layered technical safeguards and administrative procedures to detect, prevent, and recover from malicious code. As a Lead Auditor, I recommend this 10-step sequence to formalise your malware protection framework and ensure your organisational assets remain resilient against viral replication and data corruption.1. Provision a Formal Malware Protection Policy
Provision a citable policy that defines the technical requirements for anti-malware controls across the organisation: This document establishes the mandatory baseline for software deployment and user responsibilities. Technical requirements include:
- Defining the scope of protection for all physical and virtualised endpoints.
- Documenting the frequency of automated scans and real-time monitoring requirements.
- Specifying the consequences for disabling technical security controls.
2. Audit the Centralised Asset Register
Audit the Asset Register to identify 100% of the hardware and software assets requiring protection: You cannot defend assets that are not documented in your ISMS inventory. Technical actions include:
- Mapping all servers, workstations, and mobile devices to their specific owners.
- Identifying legacy systems that may require specialised compensating controls.
- Ensuring all cloud-based instances are captured within the protection scope.
3. Provision Endpoint Detection and Response (EDR)
Provision EDR or advanced anti-virus agents to all identified organisational assets: This provides the primary technical barrier against viral infection and malicious execution. Requirements involve:
- Enforcing real-time heuristic and signature-based detection capabilities.
- Configuring automated quarantine protocols for detected viral payloads.
- Ensuring agents are tamper-resistant to prevent unauthorised removal.
4. Formalise a Patch Management Workflow
Formalise a structured process for deploying security updates to operating systems and applications: Prompt patching closes the technical vulnerabilities that viruses exploit to replicate. Necessary actions include:
- Implementing automated patch deployment tools for critical vulnerabilities.
- Testing patches in a sandbox environment before full organisational rollout.
- Documenting any exceptions where patches cannot be applied due to technical constraints.
5. Revoke Local Administrative Privileges
Revoke administrative rights from standard user accounts to limit the potential spread of viral code: Restricted permissions prevent a virus from making deep system changes or self-installing. Implementation steps involve:
- Implementing the Principle of Least Privilege (PoLP) via IAM roles.
- Utilising Just-In-Time (JIT) access for technical tasks requiring elevated rights.
- Auditing the local administrators group on 100% of endpoints.
6. Enforce Technical Installation Restrictions
Enforce software restriction policies or application whitelisting to prevent the execution of unauthorised binaries: This reduces the attack surface by ensuring only approved software can run. Technical requirements include:
- Configuring AppLocker or similar tools to block unrecognised executables.
- Restricting the use of removable media such as USB drives through technical GPOs.
- Auditing unauthorised installation attempts via centralised security logs.
7. Provision Network Perimeter Scanning
Provision malware scanning at the network perimeter, including email gateways and web proxies: This intercepts viral payloads before they reach internal endpoints. Key actions include:
- Enforcing deep packet inspection for all encrypted traffic.
- Configuring email filters to strip or sandbox high-risk attachment types.
- Implementing URL filtering to block access to known malware distribution sites.
8. Provision Immutable Data Backups
Provision immutable, off-site backups for all critical data sets to ensure recovery following a viral outbreak: Immutable storage prevents a virus from encoding or deleting your recovery data. Technical actions include:
- Enforcing the 3-2-1 backup rule for all production data.
- Regularly testing restoration procedures to verify data integrity.
- Ensuring backup environments are logically isolated from the primary network.
9. Formalise a Malware Incident Playbook
Formalise a specific incident response playbook for viral infections and malware outbreaks: This ensures the technical team can react with 100% consistency during a crisis. Components involve:
- Defining technical triggers for isolating infected network segments.
- Documenting the ROE for forensic analysis and viral eradication.
- Establishing clear communication paths for internal and external stakeholders.
10. Audit Compliance and Technical Effectiveness
Audit the effectiveness of viral protections through regular technical reviews and penetration testing: This provides objective evidence for UKAS auditors that controls are functioning. Necessary steps are:
- Conducting monthly reports on EDR agent health and update status.
- Executing simulated malware attacks to test detection and response speed.
- Updating the Risk Register based on the findings of technical audits.
Virus FAQ
What is a computer virus in the context of ISO 27001?
A computer virus is a type of malicious software (malware) that replicates by inserting its code into other computer programs or files. Under ISO 27001:2022 Control 8.7, organisations must implement technical safeguards to prevent, detect, and recover from viruses to ensure 100% protection of information integrity and availability.
How does ISO 27001 Control 8.7 prevent computer viruses?
ISO 27001 Control 8.7 prevents viruses through a multi-layered technical defence strategy. This involves deploying Endpoint Detection and Response (EDR) on 100% of devices, enforcing automated patch management, and restricting administrative privileges. Research indicates that proactive patching of known vulnerabilities reduces successful viral infections by approximately 80%.
What are the technical requirements for malware protection in ISO 27001?
The technical requirements focus on preventive, detective, and corrective capabilities across the entire IT estate. Organisations are required to implement the following citable safeguards:
- Endpoint Security: Installation of anti-malware software on 100% of servers, workstations, and mobile devices.
- Detection Logs: Real-time monitoring and tamper-proof logging of security events to identify anomalous replication patterns.
- Recovery Protocols: Maintenance of immutable backups to ensure 100% data restoration following a destructive virus outbreak.
Can an organisation fail an ISO 27001 audit due to virus vulnerabilities?
Yes, failing to implement robust “Protection against malware” (Control 8.7) is classified as a major non-conformity. UKAS auditors require citable evidence of updated signature files, 100% EDR agent coverage, and documented incident response exercises to verify that the organisation can successfully mitigate viral threats.
Relevant ISO 27001 Controls
The following controls from the ISO/IEC 27001:2022 standard are related to virus:
| Related ISO 27001 Control / Concept | Relationship Description |
|---|---|
| ISO 27001 Annex A 8.7: Protection Against Malware | Core Control: The primary technological control for preventing, detecting, and removing malware, including viruses, to protect organizational assets. |
| ISO 27001 Annex A 5.14: Information Transfer | Prevention: Establishes rules for secure data movement (e.g., via cloud services or external drives) to prevent the accidental introduction of viruses during sharing. |
| ISO 27001 Annex A 8.19: Installation of Software | Shadow IT Prevention: Prevents users from installing unauthorized or “shady” software that may contain hidden viral payloads or backdoors. |
| ISO 27001 Annex A 6.8: Event Reporting | Response Capability: Mandates that employees report suspected malicious activity (like slowed systems or suspicious emails) so that a potential viral outbreak can be contained. |
| ISO 27001 Annex A 5.28: Collection of Evidence | Forensic Investigation: Ensures that if a virus infects the system, digital evidence is properly preserved to identify the source and method of infection. |
| ISO 27001 Annex A 8.25: Secure Development Life Cycle | Software Integrity: For internally developed tools, this ensures that the software is built to be resilient against viral exploitation and does not include malicious code. |
| Glossary: Antivirus | Direct Solution: Refers to the specific software tools used to implement the protection, detection, and removal requirements of the malware control. |
| Glossary: Breach | Worst-Case Scenario: A virus infection that results in data theft or system downtime often constitutes a significant security breach under the ISMS. |
| ISO 27001 Glossary of Terms (Main Index) | Parent Directory: The central index where Virus is categorized as a fundamental threat-related technological term. |
The Tools We Use.
100% Audit Success. Zero AI Guesswork.
About the author
