Home / ISO 27001 Templates / ISO 27001 Protection Against Malware and Antivirus Policy Explained + Template

ISO 27001 Protection Against Malware and Antivirus Policy Explained + Template

Last updated Sep 25, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

Malware is malicious software created by cyber-criminals to harm or gain unauthorised access to computer systems, networks, or data. It includes viruses, worms, trojans, ransomware, spyware, adware, and botnets.

Malware allows cyber-criminals to cause damage, steal information, disrupt systems, or demand ransom payments. It is commonly spread through infected files, downloads, compromised websites, or social engineering.

Protecting against malware requires using antivirus software, staying updated, educating users, and practicing safe browsing habits.

What is it?

An ISO 27001 Protection Against Malware and Antivirus Policy as your company’s rulebook for fighting off cyber nasties like viruses, worms, and ransomware. It’s a set of guidelines that tells everyone how to prevent, detect, and deal with malicious software to keep your systems and data safe. Following these rules helps you meet a key security standard called ISO 27001.

Applicability to Small Businesses, Tech Startups, and AI Companies

This policy is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.

  • For Small Businesses: Even a small business can be a target! This policy helps you protect customer data and your financial information, which can be wiped out in an instant by a malware attack. It’s about building a strong defense from the start.
  • For Tech Startups: You’re innovating and handling lots of new tech. Your policy should focus on protecting your intellectual property and cloud-based services from threats. It makes sure your developers follow safe coding practices and that your new tools don’t introduce vulnerabilities.
  • For AI Companies: You’re dealing with vast amounts of sensitive data and complex algorithms. A strong policy is crucial to prevent malware from corrupting your data sets or compromising your AI models. It’s about keeping your research and customer trust secure.

ISO 27001 Malware and Antivirus Policy Template

The ISO 27001:2022 Protection Against Malware and Antivirus Policy Template is pre written and ready to go. It is designed to save you over 8 hours of work.

ISO 27001 Malware and Antivirus Policy Template

Why You Need It

Having this policy isn’t just about following rules; it’s about protecting your business. It helps you:

  • Prevent attacks before they happen by setting clear rules for everyone.
  • Respond quickly when an attack does occur, so you can minimise the damage.
  • Protect your reputation and build trust with customers who know you take their security seriously.
  • Meet legal and contractual requirements, which is often a must-do for partnerships or working with certain clients.

When You Need It

You need this policy from the very beginning, especially if you handle any kind of sensitive information. You also need it when:

  • You’re aiming for ISO 27001 certification. It’s a key part of the process.
  • You’re expanding your business and adding more employees or new technology.
  • You’re audited by a client or a third party and they want to see your security controls.

Who Needs It?

This policy is for everyone in your company!

  • IT Staff use it to know which tools to install and how to manage them.
  • Employees learn what they can and can’t do with company devices, like not clicking suspicious links.
  • Managers use it to make sure the whole team is on the same page and following the rules.

Where You Need It

The policy applies everywhere your business data lives.

  • On all your company computers, laptops, and servers.
  • On mobile devices your employees use for work.
  • In your cloud services and software.
  • Anywhere your employees handle business data, whether they’re in the office or working from home.

How to Write It

Start with a template and then make it your own.

  1. Define the Scope: Figure out what devices and systems the policy covers.
  2. Set the Rules: State clear rules for using antivirus software, scanning for threats, and updating systems.
  3. Outline Responsibilities: Say who is responsible for what, from IT to every employee.
  4. Describe Procedures: Explain what to do if a virus is found.
  5. Review and Approve: Have a manager or a committee review and sign off on the policy.

Time needed: 1 hour and 30 minutes

ISO 27001 Protection Against Malware and Antivirus Policy

  1. Create your version control and document mark-up

    ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.

  2. Write the ISO 27001 Malware and Antivirus Policy Contents page

    1 Document Version Control
    2 Document Contents Page
    3 Patch Management Policy
    3.1 Purpose
    3.2 Scope
    3.3 Principle
    3.4 Approved Software
    3.5 Malware and Antivirus Software
    3.6 Education
    3.7 System Configurations
    3.8 Email
    3.9 Internet Proxy/Secure Web Gateway Configuration
    3.10 File Integrity Checks
    3.11 Host Intrusion/ Network Intrusion Detection
    4 Policy Compliance
    4.1 Compliance Measurement
    4.2 Exceptions
    4.3 Non-Compliance
    4.4 Continual Improvement
    5 Areas of the ISO 27001 Standard Addressed

  3. Write the ISO 27001 Malware and Antivirus Policy Purpose

    The purpose of the ISO 27001 Protection Against Malware policy is to ensure that the right controls are in place to protect organisations from malware, malicious software and viruses. It addresses threats, risks and incidents that impact the security of operations.

  4. Write the ISO 27001 Malware and Antivirus Policy Principle

    Company devices have adequate protection of company information from the risk of malware or virus.

  5. Write the ISO 27001 Malware and Antivirus Policy Scope

    All employees and third-party users.
    All company devices.
    All devices used to access, process, transmit or store company information.
    Virtual devices where applicable and feasible.

  6. Describe the use of approved software

    Only company approved and liscenced software is to be installed on company equipment.
    Unauthorised software, downloaded software, free software or utilities must not be used.

  7. State the approach to malware protection and anti virus software

    Malware and Antivirus Software must be installed on every device that can run it.
    Malware and Antivirus Software automatically update signature-based definitions as they are released by the vendor.
    Malware and Antivirus Software cannot be modified or disabled by the end user.
    Malware and Antivirus Software produces an alert when an infection or suspected infection occurs.
    Suspected infections are managed via the incident management process.
    Malware and Antivirus Software is set to auto repair or quarantine suspect files.
    Malware and Antivirus Software is set to automatically scan storage and attached storage.
    Malware and Antivirus Software is set to automatically scan any filed that is accessed, modified, or ran.
    Malware and Antivirus Software is set to retain audit logs which are monitored.

  8. Define the role of education and training

    Users are educated periodically as part of the user training and awareness process on phishing, safe use of the internet, software usage and what to do in the event of a virus or malware infection.  

  9. Describe the approach to system configurations

    Systems are configured to remove unnecessary services, configurations, and ports as part of the infrastructure management process.

  10. Explain how email is handled

    Email servers must have either an external or internal anti-virus scanning application that scans all mail destined to and from the mail server.

  11. Define the configuration of internet proxies, secure web gateways

    Internet proxies/secure web gateways must be configured to use web reputation scoring to
    Block sites with very poor reputations
    Allow sites with very good reputations
    Scan all content for threats for sites with reputations in between very poor and very good
    Log all detections
    Automatically check for virus definition updates
    The use of allow listing and deny listing should be deployed.

  12. Set out file integrity checks

    File integrity checks are implemented for all system critical files and any files that contain or access personal customer data.

  13. Describe host intrusion detections and network intrusion detection

    Host intrusion and network intrusion is in place on confidential, personal, customer and card holder information as required based on business need, legal and regulatory compliance, and risk.
    Intrusion Detection Systems have up to date detection and prevention engines, patches and signature files and alert authorised personnel based on alerting rules.
    Intrusion alerts are managed via the incident management process.
    Intrusion Detection Systems have logging enabled and are in line with the Logging and Monitoring Policy.

How to Implement It

Writing the policy is just the first step!

  1. Communicate it: Share the policy with everyone. Don’t just email it, hold a meeting to explain why it’s important.
  2. Train your staff: Teach everyone how to spot phishing emails and what to do if they see something suspicious.
  3. Automate controls: Use software that automatically updates and scans devices.
  4. Test and review: Periodically test your defences and review the policy to make sure it’s still effective.

Examples of using it for small businesses

A small business policy might focus on simple, clear actions. For example, “Every employee must have antivirus software installed and running on their work computer.” It might also include a section on what to do if a computer starts acting weirdly.

Examples of using it for tech startups

For a tech startup, the policy will be more detailed about software development. It might require developers to use secure coding practices and to scan all code for vulnerabilities before it goes live.

Examples of using it for AI companies

An AI company’s policy would be focused on data integrity. It might specify that all data used for training AI models must be scanned for malware to ensure it isn’t corrupted. It would also cover the security of the servers where the AI models are stored.

How the ISO 27001 Toolkit Can Help

An ISO 27001 toolkit is a collection of documents and guides that make the whole process easier. It includes:

  • Policy templates you can easily customise.
  • Implementation guides that walk you through each step.
  • Checklists to make sure you haven’t missed anything.
  • Training materials you can use to educate your team.
ISO 27001 Toolkit

Information Security Standards That Need It

This policy is essential for any standard that deals with protecting information. The most well-known is ISO 27001, which is all about setting up an Information Security Management System (ISMS). Other standards that need it include:

  • CCPA (California Consumer Privacy Act)
  • DORA (Digital Operational Resilience Act)
  • NIS2 (Network and Information Security (NIS) Directive) 
  • SOC 2 (Service Organisation Control 2)
  • NIST (National Institute of Standards and Technology) 
  • HIPAA (Health Insurance Portability and Accountability Act)
  • GDPR (General Data Protection Regulation)

Relevant ISO 27001:2022 Controls

The ISO 27001:2022 standard has specific controls that relate to protection against malware and antivirus:

ISO 27001 Protection Against Malware and Antivirus Policy Example

An example ISO 27001 Protection Against Malware and Antivirus Policy:

ISO 27001 Protection Against Malware and Antivirus Policy FAQ

What’s the difference between antivirus and anti-malware?

Antivirus primarily targets viruses, while anti-malware targets a broader range of threats, including adware and spyware.

How often should we update our antivirus software?

You should set it to update automatically, ideally every day or even every few hours.

Do we need to install antivirus on our phones?

Yes, if you use your phone for work, it’s a good idea to protect it with antivirus software.

What’s a phishing attack?

It’s a scam where attackers try to trick you into giving them your personal info by pretending to be a trustworthy company.

Should employees be allowed to install their own software?

Generally, no. It’s best to have a policy that only IT can install software to prevent accidental malware.

What’s a zero-day threat?

It’s a brand new type of malware that no one has seen before, so there’s no defense against it yet.

What do we do if we think we have a virus?

Disconnect your device from the internet and report it to your IT team immediately.

Can malware spread through a USB stick?

Yes, absolutely. That’s why you should scan all USB sticks before using them.

Should we use both a firewall and antivirus?

Yes, they work together. A firewall blocks unauthorised access, and antivirus fights off malicious software.

What’s ransomware?

It’s a type of malware that encrypts your files and holds them for ransom, demanding payment to unlock them.

Do we need a policy even if we use a managed service provider (MSP)?

Yes, your policy defines the rules, and your MSP helps you implement them.

Is it enough to have a free antivirus program?

For a business, it’s a good idea to invest in a paid, enterprise-level solution that offers more features and better support.

How do we know if our policy is working?

You can conduct regular security audits and vulnerability scans to test your defenses.

What’s the biggest threat to our company?

Often, it’s not the technology but the people. Human error, like clicking a bad link, is the leading cause of breaches.

How often should we review this policy?

You should review it at least once a year, or whenever you add new technology or change business processes.

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.