ISO 27001: 2022 A.8.7 Protection against malware

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.7 Protection against malware.

ISO 27001: 2022 Control Description

Protection against malware shall be implemented and supported by  appropriate user awareness.

Purpose

To safeguard information and associated assets from malware threats.

Guidance on implementation

Effective protection against malware requires a combination of detection and repair software, user awareness, and appropriate system access and change management controls. Relying solely on malware detection software is generally insufficient. The following steps should be considered:

1. Preventing Unauthorised Software:
   • Implement rules and controls to prevent or detect the use of unauthorised software, such as using allowlisting to specify permitted applications.
2. Blocking Malicious Websites:
   • Use controls like blocklisting to prevent or detect access to known or suspected malicious websites.
3. Reducing Vulnerabilities:
   • Manage technical vulnerabilities to minimise opportunities for malware to exploit system weaknesses.
4. Regular System Scans:
   • Automate regular scans of software and data on systems, particularly those critical to business operations. Investigate any unapproved files or unauthorised changes.
5. Securing External Files and Software:
   • Implement protective measures for files and software obtained from external networks or other media.
6. Updating and Scanning for Malware:
   • Regularly update and use malware detection and repair software to scan computers and electronic storage media. Key actions include:
     1. Scanning data received over networks or from electronic storage media before use.
     2. Scanning email attachments, instant messages, and downloads for malware before they are accessed.
     3. Scanning webpages for malware when accessed.
7. Strategic Placement of Malware Tools:
   • Place and configure malware detection and repair tools based on risk assessment, considering:
     1. Defence-in-depth principles to maximise effectiveness (e.g., placing tools at network gateways, on user devices, and on servers).
     2. Evasive techniques used by attackers, such as encrypted files or protocols.
8. Protecting During Maintenance:
   • Ensure maintenance and emergency procedures do not introduce malware, which could bypass standard controls.
9. Managing Exceptions:
   • Establish a process for authorising temporary or permanent disabling of malware protections, with documented justification, approval authority, and review dates. This may be necessary if malware protections disrupt normal operations.
10. Business Continuity Planning:
    • Develop and implement business continuity plans for recovering from malware attacks, including both online and offline backups.
11. Isolating Critical Environments:
    • Isolate environments where malware could have catastrophic consequences.
12. Defining Responsibilities:
    • Define clear procedures and responsibilities for dealing with malware protection, including training, reporting, and recovery processes.
13. User Awareness and Training:
    • Provide training to all users on identifying and mitigating malware risks, such as recognising infected emails, files, or programs.
14. Staying Informed:
    • Regularly collect and verify information about new malware threats from reputable sources, such as trusted websites or software suppliers.
15. Special Cases:
    • Recognise that some systems, like industrial control systems, may not support standard malware protection software. In such cases, if malware compromises the operating system or firmware, a full reinstallation may be necessary to restore security.

Other Information

It’s crucial to ensure that all procedures, particularly those involving exceptions, are thoroughly documented and approved. Regular updates to user training and awareness programmes will help maintain an effective defence against evolving malware threats.