HTHigh Table ISO 27001 Toolkit Logo

ISO 27001 Protection Against Malware Policy: Ultimate Guide

Home / ISO 27001 Templates / ISO 27001 Protection Against Malware Policy: Ultimate Guide
ISO27001 Protection Against Malware Policy Ultimate Guide

Table of contents

Introduction

In this article we’ll explore the ISO 27001 Protection Against Malware Policy and exactly what you need to do to satisfy it to gain ISO 27001 certification.

We’ll get to grips with what malware is, understand why organisations need a Protection Against Malware Policy, show you how to write one, and let you in on a trade secret that’ll save you hours of time and effort, simply by using this Protection Against Malware Policy Template.

I am Stuart Barker: founder of High Table, Information Security expert and ISO 27001 Ninja, and this is the ISO 27001 Protection Against Malware Policy.

What is malware?

Malware is malicious software created by cyber-criminals to harm or gain unauthorised access to computer systems, networks, or data. It includes viruses, worms, trojans, ransomware, spyware, adware, and botnets.

Malware allows cyber-criminals to cause damage, steal information, disrupt systems, or demand ransom payments. It is commonly spread through infected files, downloads, compromised websites, or social engineering.

Protecting against malware requires using antivirus software, staying updated, educating users, and practicing safe browsing habits.

What is the Protection Against Malware Policy?

The ISO 27001 Protection Against Malware Policy is a set of guidelines that organisations follow to protect their computer systems and data from malicious software.

ISO 27001 Protection Against Malware Policy Template

The ISO 27001 Protection Against Malware Policy Template is pre written and ready to go. It is designed to save you over 8 hours of work. ISO 27001 templates are an absolute time and life saver.

ISO 27001 Malware and Antivirus Policy Template
GET THE ISO 27001 PROTECTION AGAINST MALWARE POLICY

What is the purpose of the ISO 27001 Protection Against Malware Policy?

The purpose of the ISO 27001 Protection Against Malware policy is to ensure that the right controls are in place to protect organisations from malware, malicious software and viruses. It addresses threats, risks and incidents that impact the security of operations.

What is the ISO 27001 Protection Against Malware Principle?

To ensure information and other associated assets are protected against malware.

Why does an organisation need the ISO 27001 Protection Against Malware Policy?

Malware is the biggest threats to business continuity and information security in the digital age. The global business landscape faces countless daily threats, as attack vectors aim to compromise confidential systems and data, extract valuable information and money, deceive unsuspecting staff, and demand substantial ransoms for encrypted data.

To ensure the security of information assets, organisations must prioritise robust protection against malware. Incorporating effective preventive measures is crucial to defend against malicious software.

ISO 27001:2022 Annex A 8.7 provides guidance on educating staff about the dangers of malicious software and implementing proactive measures to mitigate both internal and external threats. By adhering to these guidelines, organisations can minimise disruptions and prevent data loss.

How to implement effective ISO 27001 malware protection

Have a topic specific policy

A topic specific policy for protection against malware is a requirement of the standard as well as best practice. It will set out the guidelines for the organisation and your approach. You can save hours of time and effort, simply by using this Protection Against Malware Policy Template or you can write it yourself. If you just love doing things the hard way then keep reading for How to write a Protection Against Malware Policy.

Install antivirus software

Antivirus software is in the top 3 essentials of cyber security and defence. Whether it is a dedicated off the self package or built into your operating system you want antivirus on every device that processes, stores or transmits data – where possible. It is not enough to have installed, it needs to be running and needs to be up to date with the latest virus definition files.

Prevent staff downloading stuff

Staff downloading software and stuff they should not is a massive risk to introducing ransomware an and viruses into your organisation. Where practical to do so you should consider a combination of controls. Those controls will include the policy, training, awareness and technical controls to prevent software being installed.

Patch your IT equipment

Another of the top 3 essentials for cyber security and defence. Software on systems is updated regularly by the vendors to address bugs and security flaws. It is imperative that you keep systems up to date with the latest patches as these exploits, if left unchecked, are low hanging fruit for cyber hackers.

Control external storage media

There are few occasions now where we need to plug in USB sticks or external media but it does happen. Be sure to have controls in place as to what can and cannot be connected and now these devices are handled, checked and managed.

Turn on your firewall

Either at the organisation level or locally the firewall is a breaker between you and the outside world and very much like a front door on a house is designed to prevent the wrong people gaining access. You will have policy and controls for firewalls so as not to leave that front door wide open.

The 4 aspects of ISO 27001:2022 Annex A 8.7 Compliance

Annex A 8.7 requires organisations to implement malware protection that focuses on:

  1. Controlled systems and account access
  2. Change management
  3. Anti-malware software
  4. Organisational information security awareness

What should ISO 27001 Protection Against Malware Policy Contain?

The ISO 27001 Protection Against Malware Policy is required to be presented in a certain way. What we mean by that is that the policy is expected to have certain document markup. Document mark up is just a fancy words for having certain information on the policy. It will need version control, a version number, an owner, an information security classification. An example ISO 27001 Protection Against Malware Policy table of contents would look something like this:

1 Document Version Control
2 Document Contents Page
3 Patch Management Policy
3.1 Purpose
3.2 Scope
3.3 Principle
3.4 Approved Software
3.5 Malware and Antivirus Software
3.6 Education
3.7 System Configurations
3.8 Email
3.9 Internet Proxy/Secure Web Gateway Configuration
3.10 File Integrity Checks
3.11 Host Intrusion/ Network Intrusion Detection
4 Policy Compliance
4.1 Compliance Measurement
4.2 Exceptions
4.3 Non-Compliance
4.4 Continual Improvement
5 Areas of the ISO 27001 Standard Addressed

How to write a Protection Against Malware Policy

When writing a Protection Against Malware Policy from scratch, consider the following:

  1. Policy statement and objectives: State the purpose and objectives of the policy, detailing the organisation’s commitment to safeguarding information assets from malware threats and defining the desired outcomes.
  2. Scope and applicability: Define the policy’s scope, including the systems, devices, networks, and information assets it covers. Specify its applicability to all individuals, including employees, contractors, and third parties, who deal with the organisation’s information assets.
  3. Roles and responsibilities: Outline the roles and responsibilities of the staff involved in implementing and managing the protection against malware measures. This covers IT administrators, security teams, end-users, and any other stakeholders.
  4. Risk assessment and management: Conduct a comprehensive risk assessment to identify potential malware threats, vulnerabilities, and the impact they may have on information assets. Weigh up the likelihood and potential consequences of malware infections, and develop risk management strategies, including preventive measures and incident response procedures.
  5. Preventive measures: Define the preventive measures to be implemented, such as deploying and regularly updating antivirus software, firewalls, intrusion detection systems, and secure configurations. Address areas like software updates, patch management, secure software installation policies, and network segmentation to minimise the risk of malware infections.
  6. Detection and monitoring: Outline the procedures for detecting and monitoring malware incidents, including regular scanning, log monitoring, anomaly detection, and leveraging threat intelligence feeds. State the frequency and scope of monitoring activities.
  7. Incident response and recovery: Specify the procedures for responding to malware incidents, including incident reporting, analysis, containment, eradication, and recovery processes. Define the roles and responsibilities of incident response team members and establish effective communication channels during incidents.
  8. User awareness and training: Stress the significance of user awareness and training programs in educating employees and stakeholders about malware risks and safe computing practices. Clarify the topics to be covered, such as recognising phishing emails, avoiding suspicious websites, and promptly reporting incidents.
  9. Auditing and compliance: Describe the procedures for monitoring and auditing to assess the effectiveness of protection against malware controls. Set up processes for conducting regular audits, vulnerability assessments, and compliance checks. Identify the responsible parties and arrange an audit schedule.
  10. Policy communication and review: Explain how the policy will be communicated to employees, contractors, and other stakeholders. Outline the methods for policy distribution, training, and ensuring comprehension of the policy’s contents. Implement a review process to regularly assess the policy’s effectiveness and make necessary updates.

If all of this sounds like a lot of effort just to write one ISO 27001 policy, save hours of your time by following this Protection Against Malware Policy template.

ISO 27001 Protection Against Malware Policy Example

You can view this free ISO 27001 Protection Against Malware Policy PDF with an extract below:

ISO 27001 Malware and Anti Virus Policy Example

What are the benefits of the ISO 27001 Protection Against Malware Policy?

Other that your ISO 27001 certification requiring it, the following are benefits of having the ISO 27001 Protection Against Malware Policy:

  1. Improved security: Your systems will be protected from all known vulnerabilities reducing the likelihood and impact of an attack
  2. Reduced risk: Having up to date anti virus protection reduces the risk of attack and exploit
  3. Improved compliance: Standards and regulations require you have to have the basics of proaction against malware
  4. Reputation Protection: In the event of a breach having effective malware protection will reduce the potential for fines and reduce the PR impact of an event

Who is responsible for the ISO 27001 Protection Against Malware Policy?

Antivirus management and the protection against malware is the responsibility of the IT team and specifically of the IT infrastructure teams.

What are examples of a violation of ISO 27001 Protection Against Malware Policy?

Examples of where the policy can fail or violations of the protection against malware policy can include:

  1. Not having antivirus protection: Not having antivirus software installed, running and up to date can lead to malicious software and viruses infecting your machines leading to data breaches.
  2. Not communicating and educating: Not communicating and educating people can lead to people not knowing what is expected of them and acting in way that introduces malware through no direct fault of their own.
  3. Not managing exceptions. There maybe systems that cannot have antivirus installed and this will require special management and compensating controls.

What are the consequences of violating the ISO 27001 Protection Against Malware Policy?

Not having antivirus protection or malware protection can have severe consequences. This is one of the simplest, most effective protection against cyber attack. The consequences could be legal and regulatory fines and / or enforcement, loss of data, loss of revenue and in the most extreme cases risk to life and closure of your organisation. The time and effort to recover from and respond to a malicious software infection is signification.

How do you monitor the effectiveness of the ISO 27001 Protection Against Malware Policy?

The approaches to monitoring the effectives of malware protection include:

  1. Reporting on the status of devices and antivirus levels
  2. Internal audit of the protection against malware process
  3. External audit of the protection against malware process
  4. Review of system logs and alerts for anomalies in operation

ISO 27001 and the ISO 27001 Protection Against Malware Policy

The ISO 27001 Protection Against Malware Policy satisfies the following clauses in ISO 27001:

ISO 27001:2022

ISO 27001:2022 Clause 5 Leadership
ISO 27001:2022 Clause 5.1 Leadership and commitment
ISO 27001:2022 Clause 5.2 Policy
ISO 27001:2022 Clause 6.2 Information security objectives and planning to achieve them
ISO 27001:2022 Clause 7.3 Awareness

ISO 27002:2022/ Annex A

ISO 27002:2022 Clause 5 Organisational Controls
ISO 27002:2022 Clause 5.1 Policies for information security
ISO 27002:2022 Clause 5.36 Compliance with policies, rules, and standards for information security
ISO 27002:2022 Clause 5.4 Management Responsibilities
ISO 27002:2022 Clause 6 People Controls
ISO 27002:2022 Clause 6.3 Information security awareness, education, and training
ISO 27002:2022 Clause 6.4 Disciplinary process
ISO 27002:2022 Clause 8 Technological Controls
ISO 27002:2022 Clause 8.1 User endpoint devices
ISO 27002:2022 Clause 8.7 Protection Against Malware
ISO 27002:2022 Clause 8.18 Use of privileged utility programs

ISO 27001 QUICK LINKs

ISO 27001 Clauses

ISO 27001 Clause 4.1 Understanding The Organisation And Its Context

ISO 27001 Clause 4.2 Understanding The Needs And Expectations of Interested Parties

ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System

ISO 27001 Clause 4.4 Information Security Management System

ISO 27001 Clause 5.1 Leadership and Commitment

ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities

ISO 27001 Clause 6.1.1 Planning General

ISO 27001 Clause 6.1.2 Information Security Risk Assessment

ISO 27001 Clause 6.1.3 Information Security Risk Treatment

ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them

ISO 27001 Clause 7.1 Resources

ISO 27001 Clause 7.2 Competence

ISO 27001 Clause 7.3 Awareness

ISO 27001 Clause 7.4 Communication

ISO 27001 Clause 7.5.1 Documented Information

ISO 27001 Clause 7.5.2 Creating and Updating Documented Information

ISO 27001 Clause 7.5.3 Control of Documented Information

ISO 27001 Clause 8.1 Operational Planning and Control

ISO 27001 Clause 8.2 Information Security Risk Assessment

ISO 27001 Clause 8.3 Information Security Risk Treatment

ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation

ISO 27001 Clause 9.2 Internal Audit

ISO 27001 Clause 9.3 Management Review

ISO 27001 Clause 10.1 Continual Improvement

ISO 27001 Clause 10.2 Nonconformity and Corrective Action

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.30 ICT readiness for business continuity – new

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing

People Controls - A6

ISO 27001 Annex A 6.1 Screening

ISO 27001 Annex A 6.2 Terms and conditions of employment

ISO 27001 Annex A 6.3 Information security awareness, education and training

ISO 27001 Annex A 6.4 Disciplinary process

ISO 27001 Annex A 6.5 Responsibilities after termination or change of employment

ISO 27001 Annex A 6.6 Confidentiality or non-disclosure agreements

ISO 27001 Annex A 6.7 Remote working – new

ISO 27001 Annex A 6.8 Information security event reporting 

 

Physical Controls - A7

ISO 27001 Annex A 7.1 Physical security perimeter

ISO 27001 Annex A 7.2 Physical entry controls

ISO 27001 Annex A 7.3 Securing offices, rooms and facilities

ISO 27001 Annex A 7.4 Physical security monitoring

ISO 27001 Annex A 7.5 Protecting against physical and environmental threats

ISO 27001 Annex A 7.6 Working in secure areas

ISO 27001 Annex A 7.7 Clear desk and clear screen

ISO 27001 Annex A 7.8 Equipment siting and protection

ISO 27001 Annex A 7.9 Security of assets off-premises

ISO 27001 Annex A 7.10 Storage media – new

ISO 27001 Annex A 7.11 Supporting Utilities

ISO 27001 Annex A 7.12 Cabling Security

ISO 27001 Annex A 7.13 Equipment Maintenance

ISO 27001 Annex A 7.14 Secure Disposal or Re-Use of Equipment