What is a virus?
A virus is a tiny, harmful program that can copy itself and spread to other files and computers. It needs a host program to live and can’t work on its own. A virus can change or delete your data, slow down your computer, or even make it unusable. It often spreads when you open an infected email attachment or download something from a shady website.
Examples
- Melissa: This was a macro virus that spread through email. When you opened an infected Word document, it would email itself to the first 50 people in your address book.
- Stuxnet: A complex virus designed to target specific industrial systems. It was used to disrupt Iran’s nuclear program.
- ILOVEYOU: A highly destructive virus that came as an email attachment. When opened, it would overwrite files and send itself to everyone in the user’s contact list.
Context
Viruses are a type of malware, which is a general term for any software designed to harm computers. While often used interchangeably, viruses are different from other malware like worms (which can spread on their own without a host program) and trojans (which pretend to be useful software but hide a malicious purpose).
ISO 27001 doesn’t have a specific control titled “ISO 27001 Virus.” However, it does address malicious code, including viruses, through several controls aimed at preventing, detecting, and mitigating their impact.
Relevant ISO 27001 Controls
The following controls from the ISO/IEC 27001:2022 standard are related to virus:
- ISO 27001 Annex A 8.7 Protection Against Malware: This is the main control for preventing, detecting, and removing malware.
- ISO 27001:2022 Annex A 5.14 Information Transfer: This control helps ensure that information is not transferred in a way that could introduce viruses. For example, it covers how you can use external drives or cloud services.
- ISO 27001:2022 Annex A 5.28 Collection Of Evidence: If a system is infected, this control helps ensure that evidence is collected properly for further investigation.
- ISO 27001 Annex A 6.8: Information Security Event Reporting: Employees must be able to report any suspected malicious code activity so that the incident can be handled quickly.
- ISO 27001:2022 Annex A 8.19: Installation of Software on Operational Systems: This helps stop people from putting unauthorised software (which could be a virus) on company computers.
- ISO 27001:2022 Annex A 8.25: Secure Development Life Cycle: If you create your own software, this control helps make sure it is designed securely so it won’t introduce vulnerabilities that viruses could exploit.