1. Framework FAQs

ISO 27001: 2022 A.8.23 Web filtering

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.23 Web filtering.

ISO 27001: 2022 Control Description

Access to external websites shall be managed to reduce exposure to malicious content.

Purpose

To protect systems from malware and prevent access to unauthorised or harmful websites.

Guidance on implementation

To reduce the risk of exposure to malicious content, the organisation should manage and control access to external websites. This involves blocking access to sites that could compromise security, such as those known to distribute viruses or engage in phishing activities.

Key Steps:

  1. Identify Risky Websites:
    • Determine which types of websites personnel should or should not access.
    • Consider blocking access to:
      • Sites that allow information uploads unless needed for business purposes.
      • Known or suspected malicious sites, including those distributing malware or phishing content.
      • Command and control servers.
      • Websites flagged by threat intelligence as dangerous.
      • Sites sharing illegal content.
  2. Implement Blocking Measures:
    • Use techniques such as blocking the IP address or domain of risky websites.
    • Some browsers and anti-malware tools can automatically block these sites or be configured to do so.
  3. Establish Rules for Online Use:
    • Create clear rules for safe and appropriate use of the internet, including restrictions on undesirable or inappropriate websites and web-based applications.
    • Keep these rules up to date.
  4. Provide Training:
    • Train personnel on the secure and appropriate use of online resources, including how to follow the organisation’s rules and what to do if they encounter a security issue.
    • Ensure staff understand not to bypass browser warnings that indicate a website is not secure.

Additional Information

Web filtering can be done using various techniques, such as:

  • Signature-based detection.
  • Heuristic analysis.
  • Lists of allowed or blocked websites or domains.
  • Custom configurations to prevent malicious software and activities from affecting the organisation’s network and systems.