ISO 27001 Annex A 8.23 Guide

In this guide, I will show you exactly how to implement ISO 27001 Annex A 8.23 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.23 requires organizations to manage and restrict access to external websites to reduce exposure to malicious content. While often associated with productivity (e.g., blocking social media), the primary goal of this control in ISO 27001 is malware prevention, stopping users from accidentally visiting sites that host viruses, phishing scams, or illegal content.

Core requirements for compliance include:

Define the Rules: You must have a clear policy on “Acceptable Use” that defines what sites are off-limits (e.g., Gambling, Adult Content, Hacking Forums, File Sharing).
Technical Implementation: You cannot just “ask” users to be careful. You must implement technical controls such as DNS filtering, Firewall rules, or browser plugins to actively block access to known bad categories.
The “Exception” Process: Security cannot block business. You need a documented process for users to request access to a blocked site if they have a legitimate business reason (e.g., a Marketing Manager needing access to Facebook).
Communication: Users must be informed why filtering is in place. If they hit a block page, it should clearly state that the site was blocked for security reasons, not just to annoy them.

Audit Focus: Auditors will look for the “Safety Net”:

Evidence of Blocking: They might ask you to demonstrate what happens if a user tries to visit a known malicious URL (e.g., a test site).
The Exception Log: “Show me the ticket where the HR team requested access to a blocked recruitment site.”
No “Blanket” Blocks: They check that you aren’t over-blocking to the point of hindering business operations (availability).

Web Filtering Strategies (Risk vs. Usability):

Strategy	Description	ISO 27001 Verdict
Allow Listing (Whitelist)	Block everything except specific approved sites.	High Security, Low Usability (Best for Servers/Kiosks).
Block Listing (Blacklist)	Allow everything except known bad sites (e.g., Malware, Pornography).	Balanced (Best for General Staff).
Category Filtering	Blocking entire genres (e.g., “File Sharing,” “Gambling”).	Standard Practice for most businesses.
No Filtering	Relying solely on user training.	Weak (Likely a Non-Conformity for high-risk data).

Key Takeaways: ISO 27001 Annex A 8.23 Web Filtering
What is ISO 27001 Annex A 8.23?
ISO 27001 Annex A 8.23 Explainer Video
ISO 27001 Annex A 8.23 Podcast
ISO 27001 Annex A 8.23 Implementation Guidance
How to implement ISO 27001 Annex A 8.23
What will an auditor check?
Applicability of ISO 27001 Annex A 8.23 across different business models.
Fast Track ISO 27001 Annex A 8.23 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 8.23 FAQ
Related ISO 27001 Controls
Further Reading

What is ISO 27001 Annex A 8.23?

ISO 27001 Annex A 8.23 is about web filtering which means that you need to implement allow listing of websites to prevent people from accessing website that can cause harm or break the law.

ISO 27001 Annex A 8.23 Web Filtering is an ISO 27001 control that requires us to manage access to external websites so that we can reduce the exposure we have to malicious and dangerous content.

ISO 27001 Annex A 8.23 Purpose

ISO 27001 Annex A 8.23 is a preventive control to protect systems from being compromised by malware and to prevent access to unauthorised web resources.

ISO 27001 Annex A 8.23 Definition

The ISO 27001 standard defines ISO 27001 Annex A 8.23 as:

Access to external websites should be managed to reduce exposure to malicious content.
ISO27001:2022 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.23 Explainer Video

In this beginner’s guide to ISO 27001 Annex A 8.23 Web Filtering, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.

ISO 27001 Annex A 8.23 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 8.23 Web Filtering. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 8.23 Implementation Guidance

Establish Rules

To implement this control you should establish what it is that you want people to do and be able to access. Putting time into establishing rules for the use of online resources, the acceptable use, and working out what is undesirable or inappropriate.

Communicate and Train

Once you know what your rules are and what you do and do not want people to be able to do, this should be communicated and training provided. As always as part of communicating, how to raise a concern would be included.

Exception Process

If you do put restrictions in place then it is important to have an exception process. This is a process that people can follow that will allow access to things otherwise restricted and will be a documented audit trail of approval and the actions taken. Often access is time based.

Web Filtering Techniques

When it comes to web filtering techniques there are many things that will factor into this ranging from the risk that you have, to the skills and technology that you have and are comfortable with. Most small businesses don’t want to restrict and it can be quite a difficult thing to do if people use their own devices.

When implementing consider web filtering techniques that are built into software such as antivirus and the browser technology you have deployed. Consider the capabilities of your firewalls. Also to consider are off the shelf tools. Choose what is right for you.

Deciding what to filter

As mentioned already this is going to be based on risk and business need. There are categories in most web filtering solutions that can be turned on and make the job easier. These categories are straightforward and easy to understand. The areas that would be considered for restriction would be

Ilegal content
Command and control servers
Malicious websites
Sites with the ability to upload information

The following are further considerations from the standard to be considered.

Access to networks and services

For this we consider what can and should be accessed and then have appropriate policy and process in place around that access.

ISO 27001 Annex A 5.15 Access Control

ISO 27001 Annex A 5.18 Access Rights

Authentication

The requirements on authentication for accessing services should be set.

ISO 27001 Annex A 5.17 Authentication Information

Authorisation

Procedures that determine who is allowed to access networks and services are to be put in place.

ISO 27001 Annex A 5.15 Access Control

Technical Controls

The network management and technical controls as well as the processes to access connections and services will be in place.

ISO 27001 Annex A 8.20 Network Security

Access Types

How access is carried out such as physical network, wireless network, VPN will be determined.

Monitoring and Logging

Recording the time, location and other appropriate logging attributes of users that access networks and services will be in place.

ISO 27001 Annex A 8.16 Monitoring Activities

Security Features

The security features of networks will be identified and implemented as well as documented. Consider here things like encryption, connection controls, cacheing, restrictive access. Firewalls, private networks, intrusion detection are also to be considered.

Network Security Professional

All in all you should work what a network security professional to work out the best solution for you and your needs. Your requirement is to identify, document, implement, monitor and review it.

How to implement ISO 27001 Annex A 8.23

Implementing effective web filtering is essential for mitigating the risk of malware infections and preventing unauthorised access to malicious websites. By following these technical steps, your organisation can align with ISO 27001 Annex A 8.23 requirements and establish a proactive defence against web-based threats.

1. Formalise a Web Filtering Policy and Acceptable Use Policy (AUP)

Develop a formal policy that defines the categories of websites to be restricted, such as known malware hosts, phishing domains, and high-risk content.
Establish clear exceptions for specific business roles that require broader access, ensuring these are documented and reviewed regularly.
Result: A legally and operationally sound framework that sets clear expectations for employee browsing behaviour.

2. Provision a Secure Web Gateway (SWG) or DNS Filter

Deploy a cloud-based or on-premises Secure Web Gateway (SWG) to perform real-time URL categorisation and traffic inspection.
Implement DNS-level filtering to block malicious requests at the resolution stage, providing an additional layer of protection for remote and mobile devices.
Result: Automatic blocking of known threats before they can establish a connection with the internal network.

3. Enforce TLS Inspection and Decryption Standards

Configure the filtering solution to decrypt and inspect HTTPS traffic to identify hidden malware and data exfiltration attempts.
Establish a bypass list for sensitive traffic, such as banking or healthcare sites, to maintain user privacy and comply with data protection regulations.
Result: Visibility into encrypted traffic, which currently accounts for the vast majority of web-delivered threats.

4. Restrict Administrative Access via Granular IAM Roles

Apply the Principle of Least Privilege by assigning specific Identity and Access Management (IAM) roles to administrators managing filtering rules.
Mandate Multi-Factor Authentication (MFA) for all changes to the web filtering configuration to prevent unauthorised policy modifications.
Result: Protection against insider threats or account compromises that could lead to the bypass of critical security controls.

5. Execute Regular Rule Updates and Threat Intelligence Feeds

Automate the synchronisation of threat intelligence feeds to ensure the filtering engine is updated with the latest malicious domains and IP addresses.
Conduct periodic reviews of blocked categories to ensure they remain aligned with the organisation’s evolving risk profile and business needs.
Result: A dynamic defence system that remains effective against rapidly changing web-based attack vectors.

6. Implement Monitoring, Logging, and Incident Response

Integrate web filtering logs with a Security Information and Event Management (SIEM) system to detect patterns of attempted access to malicious sites.
Establish a formal incident response procedure for “High-Risk Block” events, including automated alerts for security personnel.
Result: Enhanced situational awareness and the ability to investigate potential infections before they escalate into major breaches.

What will an auditor check?

The audit is going to check a number of areas. Lets go through the main ones

1. That you have documentation

What this means is that you need to show that you have documented your web filtering implementation and processes and put in place an exception step as required.

2. That you have have implemented Web Filtering appropriately

They will look at systems to seek evidence of that it is implement appropriately. They will want to see evidence of the controls that in place and that they are operating. Allowlist or deny lists will be expected to be in place and evidenced.

3. That you have conducted internal audits

The audit will want to see that you have tested the controls and evidenced that they are operating. This is usually in the form of the required internal audits. They will check the records and outputs of those internal audits.

Applicability of ISO 27001 Annex A 8.23 across different business models.

Business Type	Applicability	Examples of Control Implementation
Small Businesses	Focuses on using simple, automated tools to block high-risk categories (e.g., gambling, adult content) that often host malware. The goal is “set and forget” protection for general staff.	Configuring the office router or using a DNS filter (e.g., OpenDNS) to block known malicious domains automatically. Enabling “Safe Browsing” features in the company antivirus software on all laptops. Blocking access to file-sharing sites to prevent accidental data leakage or downloading pirated software.
Tech Startups	Requires a balanced approach. While blocking malware is critical, developers often need access to obscure forums or code repositories. An efficient “Exception Process” is key here.	Implementing “Category Filtering” to block “Hacking” and “Malware” sites but allowing “Technology” and “Developer Tools”. Creating a streamlined Slack channel or ticket workflow for developers to request immediate unblocking of legitimate sites. Using endpoint-based filtering agents that work even when developers are working remotely (Wfh).
AI Companies	Critical for preventing data exfiltration. Filtering is used to stop employees from uploading sensitive training data to unauthorized public AI tools or cloud storage.	Blocking access to public “Pastebin” sites and unauthorized GenAI platforms to prevent model leakage. Using TLS inspection to detect and block connections to known “Command and Control” (C2) servers. Whitelisting only approved cloud storage providers for uploading large datasets, blocking all others.

Fast Track ISO 27001 Annex A 8.23 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 8.23 (Web filtering), the requirement is to manage access to external websites to reduce exposure to malicious content. This is achieved through a combination of policy rules (what is allowed) and technical settings (blocking the bad stuff).

Compliance Factor	SaaS Monitoring Platforms	High Table ISO 27001 Toolkit	Real-World Example
Data Ownership & Continuity	Acts as a gatekeeper to your rules. Stopping payments often means losing access to your “Acceptable Use” and “Web Filtering” definitions.	Permanent Ownership: You receive the “Acceptable Use Policy” and “Web Filtering Guidelines” in Word/Excel formats that are yours forever.	Retaining permanent control over which sites are blocked and how exceptions are handled without a vendor holding the data hostage.
Simplicity & Workflow	Complicates compliance with complex dashboards and pie charts of blocked ads, which are unnecessary for the audit.	Rules, Not Dashboards: Formalises existing technical measures (like DNS filtering) into a clear policy template that auditors respect.	Validating that your Cisco Umbrella or OpenDNS configuration meets ISO standards using a simple written policy.
Cost Structure	Often charges per user for “monitoring” or “protection,” adding recurring fees for a control often handled by free tools.	One-Off Fee: A single payment covers the documentation suite, keeping your budget focused on technical defense, not paperwork.	Documenting web filtering for 500 employees without paying a monthly “per-seat” compliance fee.
Freedom & Tech Agnostic	Forces “one-size-fits-all” monitoring approaches or specific integrations that may clash with your preferred browser or firewall.	Use Any Filter: Fully adaptable to your tech stack, whether you use Microsoft Defender, a corporate VPN, or simple router settings.	Defining a policy that balances security and productivity (e.g., blocking malware but allowing social media) based on your culture.

Own Your ISMS, Don’t Rent It

Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit

Get the Ultimate ISO 27001 Toolkit

Summary: For Annex A 8.23, the auditor wants to see that you have a policy for safe browsing and that you enforce it. The High Table ISO 27001 Toolkit provides the governance framework to document this immediately. It validates your existing security measures with professional documentation, allowing you to satisfy the requirement without the complexity of an ongoing subscription.

ISO 27001 Annex A 8.23 FAQ

What is the purpose of ISO 27001 Annex A 8.23 Web Filtering?

The primary purpose of ISO 27001 Annex A 8.23 is to prevent systems from being compromised by malware and to stop users from accessing illegal or malicious web resources. Unlike productivity monitoring, the main goal of this control is security—reducing the attack surface by preventing access to sites that host phishing scams, viruses, or unapproved file-sharing services.

Malware Prevention: Blocks access to known malicious domains.
Data Protection: Prevents upload of data to unauthorized cloud storage.
Compliance: Reduces legal liability by blocking illegal content.

Is web filtering mandatory for ISO 27001 compliance?

Yes, managing access to external websites is a required control to reduce exposure to malicious content. While the standard does not mandate specific software, you must demonstrate that you have technical measures and policies in place to control which websites users can access on your network.

Policy: You must have a documented Acceptable Use Policy.
Enforcement: You must use technical tools (firewalls, DNS filters) to enforce rules.
Evidence: You must provide logs showing that restrictions are active.

Does ISO 27001 require blocking social media sites?

No, ISO 27001 does not explicitly require blocking social media or news sites unless they pose a specific security risk to your organization. The decision to block productivity-related categories is a business choice, whereas blocking malicious categories (like hacking forums or malware sites) is a security necessity.

Risk Assessment: Blocking should be based on your specific risk appetite.
Business Needs: Marketing teams often require social media access.
Focus: Prioritize blocking “High Risk” categories over “Productivity” categories.

What are the best web filtering strategies for this control?

The most effective strategies are Category Filtering and Block Listing, as they balance security with usability. Auditors typically look for a layered approach that stops threats without preventing legitimate work.

Category Filtering: Blocking entire groups of sites (e.g., “Adult,” “Gambling,” “P2P”).
Block Listing (Blacklisting): Specifically denying access to known malicious URLs.
Allow Listing (Whitelisting): Blocking everything except approved sites (High security, but high maintenance).

How should legitimate requests for blocked sites be handled?

You must implement a formal Exception Management Process that allows staff to request access to blocked sites for valid business reasons. This ensures that security controls do not hinder business operations and provides an audit trail of approved exceptions.

Submission: User submits a ticket explaining the business need.
Review: Security team scans the site for actual threats.
Approval: Access is granted temporarily or permanently if safe.
Logging: The approval is documented for the auditor.

What evidence will an auditor ask for regarding web filtering?

Auditors will request your Acceptable Use Policy, configuration screenshots of your filtering tools, and logs showing blocked attempts. They want to see proof that the rules defined in your policy are actually implemented in your technology.

Policy Document: clearly defining prohibited website categories.
System Configs: Screenshots of DNS or Firewall rules.
Incident Logs: Reports showing the system successfully blocked a user.
Exception Records: Documentation of authorized bypasses.

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.5 Secure Authentication

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.