Buy the 27001 Toolkit

ISO 27001 Control 8.23: Web Filtering

How to Let People Use the Web Without Letting the Web Use You

ISO 27001 Control 8.23 Web filtering is about managing how your people and systems reach the internet, so that a useful tool doesn’t become an easy attack path.

Left completely open, web access brings malware, phishing, data leaks, shadow IT, and a lot of time on sites that have nothing to do with work. Control 8.23 expects you to intentionally restrict and monitor access to external websites based on business need and risk, not just hope that antivirus and user common sense are enough.

This guide explains what ISO 27001 Control 8.23 is really asking for, and how to build a practical web filtering approach that protects your organisation without stopping people getting their jobs done.

What ISO 27001 Control 8.23 Actually Requires

In plain language, ISO 27001 Control 8.23 – Web filtering expects you to:

  • Decide who and what should be able to access the web, and for which purposes.
  • Implement technical controls to block or restrict access to risky, malicious, or inappropriate sites.
  • Configure browsers and endpoints so users can’t easily bypass protections.
  • Define a policy and process for acceptable web use and exceptions.
  • Monitor usage and improve controls over time based on real activity and emerging threats.

The goal is to reduce exposure to web-borne threats and misuse, while still allowing legitimate business use of online services.

Step 1 – Understand Your Web Exposure and Objectives

Before you start blocking things, you need a clear picture of:

  • Who uses the web
    – Office staff, remote workers, contractors, frontline workers, kiosk users.
    – Service accounts or automated tools that call web APIs.
  • From where
    – On-premise corporate networks.
    – Home and remote connections via VPN or zero-trust access.
    – Mobile devices and laptops used on public Wi-Fi.
  • For what
    – Business applications (SaaS, web portals, collaboration tools).
    – Research and general browsing.
    – Admin access to cloud platforms and infrastructure.

Then clarify what you’re trying to achieve with web filtering:

  • Reduce malware and phishing risk.
  • Prevent access to clearly inappropriate or illegal content.
  • Limit data exfiltration via webmail, file-sharing and paste sites.
  • Control bandwidth-heavy or distracting sites where that matters.

This context will drive how strict you need to be to meet ISO 27001 Control 8.23 without crippling productivity.

Step 2 – Define a Clear Web Access and Acceptable Use Policy

The technical controls only work well if they’re backed by clear rules.

Your web access / acceptable use policy should cover:

  • What’s generally allowed
    – Business-related browsing, use of approved cloud services, research within reason.
  • What’s disallowed by default
    – Known malicious or suspicious sites.
    – Illegal content and clearly inappropriate categories.
    – Personal file-sharing sites, unapproved webmail, anonymous proxies, TOR, and VPNs used purely to bypass controls.
  • Use of work devices for personal browsing
    – Whether limited personal use is permitted, and within what boundaries.
  • Requests for access
    – How someone can request access to a blocked site for legitimate business purposes.
    – Who reviews and approves these requests, and how long exceptions last.
  • User responsibilities
    – Not trying to bypass controls.
    – Reporting suspicious websites, pop-ups or unexpected redirects.
    – Respecting copyright and regulatory obligations.

For ISO 27001 Control 8.23, this policy becomes your “why” – the filter configuration is the “how”.

Step 3 – Choose the Right Web Filtering Technologies

Next, you need to decide which technical approach (or combination) is right for your environment. Common options include:

  • DNS filtering
    – Blocks access to bad domains at the DNS level.
    – Lightweight, good as a baseline control for all devices, including remote.
  • Secure web gateways / proxies
    – Route web traffic through a central point where it can be inspected and filtered.
    – Often cloud-based now, so they work for both on-prem and remote users.
  • Next-generation firewalls (NGFW)
    – Provide URL and category filtering at the perimeter.
    – Useful where most traffic still passes through central gateways.
  • Endpoint agents
    – Enforce web filtering on the device itself (handy for roaming users).
    – Can complement DNS or cloud filtering.

Whichever mix you choose, for ISO 27001 Control 8.23 you should be able to show:

  • How filtering is applied consistently (office and remote).
  • How policies are managed and updated.
  • How you handle SSL inspection (if used) and related privacy issues.

Step 4 – Block or Restrict High-Risk Websites and Functions

The control expects you to be deliberate about blocking obviously risky content and behaviours.

Typical measures:

  • Malicious and suspicious sites
    – Use threat-intelligence feeds to block known malware, phishing, and command-and-control domains.
    – Automatically update block lists through your chosen filtering service.
  • Upload and data-leak channels
    – Restrict access to personal file-sharing and unapproved cloud storage services.
    – Limit or monitor webmail access from corporate devices where appropriate.
    – Pay particular attention to paste sites, temporary file-sharing, and similar services.
  • Illegal and inappropriate content
    – Block categories such as adult content, hate content, piracy, and other clearly non-business areas.
  • Bandwith-heavy and distracting sites (where justified)
    – Optionally restrict streaming, gaming and social media where they are not needed for business.
    – Or throttle rather than fully block, depending on your culture and risk appetite.

The exact rules will vary, but for ISO 27001 Control 8.23 you need to show that high-risk content is not freely available from corporate systems.

Step 5 – Harden Browsers and Endpoint Settings

Modern browsers already include useful protections – you just need to make sure they’re switched on and centrally managed.

Key configurations:

  • Safe browsing features
    – Enable built-in malicious site and download protection.
    – Disable the ability for users to ignore or bypass security warnings where possible.
  • HTTPS and certificates
    – Prefer or enforce HTTPS-only browsing where tools allow.
    – Warn or block on certificate errors and invalid HTTPS.
  • Downloads and plugins
    – Limit downloads of executables and other high-risk file types from untrusted sites.
    – Disable or restrict legacy plugins and scripting features that increase risk.
  • Managed settings
    – Use group policy, MDM or equivalent to enforce browser settings.
    – Prevent users from changing security-critical configuration.

This gives ISO 27001 Control 8.23 a second line of defence: even if a risky site is reached, the browser itself doesn’t make it easy to get compromised.

Step 6 – Define a Sensible Exception Process

Sometimes, people genuinely need access to something that your web filter quite reasonably blocks.

Rather than relaxing controls for everyone, ISO 27001 Control 8.23 expects you to manage these as controlled exceptions:

  • Request and justification
    – A simple form or ticket where the requester explains why access is needed, for which site(s), and for how long.
  • Risk-based review
    – Security or IT reviews the request, checks the site’s risk profile, and considers alternatives (e.g. read-only access, use from a sandbox).
  • Time-bound access
    – Approvals should be temporary where possible, with automatic expiry.
  • Logging
    – Keep records of who requested what, when it was approved, and by whom.

This lets you keep web filtering tight for everyone, while still enabling legitimate business needs transparently.

Step 7 – Monitor Usage and Look for Bypass Attempts

Web filtering is not a “set and forget” control. ISO 27001 Control 8.23 expects you to monitor and refine it.

You should:

  • Review logs and reports
    – Regularly review blocked and allowed traffic reports.
    – Look for repeated attempts to reach dangerous or inappropriate categories.
  • Detect evasion
    – Watch for use of unauthorised VPNs, anonymisers, or unusual ports and protocols.
    – Treat attempts to circumvent filtering as potential policy violations or security incidents, not just “clever workarounds”.
  • Feed into incident response
    – If you see repeated access to phishing pages, malware downloads, or command-and-control domains, raise and investigate incidents.
  • Tune policies
    – Use what you see to refine category rules, allow/deny lists and alert thresholds.

This is the “continuous improvement” piece that turns ISO 27001 Control 8.23 into a living control rather than a static configuration.

Step 8 – Train People on Safe Web Use and What the Filter Is Doing

Web filtering works best when users understand why it exists and how they should behave online.

Include in your awareness training:

  • Recognising risky sites and phishing pages
    – Suspicious URLs, unexpected pop-ups, requests for passwords or payment details.
  • Browser warnings and block pages
    – Why they should not ignore warnings, and what to do when they see a blocked page.
  • Reporting
    – How to report a suspicious site or email quickly.
    – How to request access to blocked content for genuine business reasons.
  • Safe use of public and home Wi-Fi
    – Encouraging VPN or secure access methods, and avoiding sensitive work on open networks where possible.

This makes ISO 27001 Control 8.23 feel less like an arbitrary restriction and more like part of a shared effort to keep the organisation safe.

Quick Implementation Checklist for ISO 27001 Control 8.23

Use this to review your current position:

  • ISO 27001 Control 8.23 (Web filtering) is covered in your information security / acceptable use policies.
  • You have identified who uses the web, from where, and for what, and defined objectives for web filtering.
  • A web access / acceptable use policy exists and is communicated to staff.
  • Technical web filtering is implemented (DNS filtering, secure web gateway, firewall URL filtering, or endpoint agents).
  • High-risk websites and categories (malware, phishing, illegal/inappropriate content, data-leak channels) are blocked or tightly controlled.
  • Browsers and endpoints are hardened with managed security settings and restricted downloads.
  • There is a documented, risk-based exception process for business-justified access to blocked sites.
  • Web activity is logged and monitored, with alerts for suspicious or bypass attempts.
  • Web filtering rules and block lists are regularly reviewed and updated based on threat intelligence and local experience.
  • Staff receive training and awareness on safe web use and web filtering expectations.

Bringing It All Together

ISO 27001 Control 8.23 – Web filtering – is about accepting that the web is both essential and dangerous, and treating it accordingly.

If you:

  • Set clear rules for what’s acceptable,
  • Use appropriate filtering technology,
  • Harden browsers and manage exceptions properly, and
  • Monitor and educate continuously,

you’ll drastically reduce the likelihood that a casual click turns into a serious incident – and you’ll be able to show an auditor that web access in your organisation is controlled, monitored and aligned with your ISMS, not just left to chance.

Explore the ISO 27001 Controls

Overview
Organisational
Controls (5.1 to 5.37)
People
Controls (6.1 to 6.8)
Physical
Controls (7.1 to 7.14)
Technological
Controls (8.1 to 8.34)
Full Control List

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG