top of page

ISO 27001 Control 8.7: Protection Against Malware

Writer's picture: Alan ParkerAlan Parker

Introduction

Malware poses a significant risk to organisational security, with threats ranging from viruses and worms to ransomware and spyware. ISO 27001 Control 8.7 focuses on implementing robust protection mechanisms to safeguard information and associated assets against malware. This article outlines the purpose, key measures, and best practices for achieving compliance with this control.


Purpose of Control 8.7

The primary objective of Control 8.7 is to ensure that information and assets are adequately protected from malware threats. This is achieved through a combination of technical controls, user awareness, and proactive security measures that help prevent, detect, and mitigate malware infections.


Key Measures for Malware Protection

To effectively implement Control 8.7, organisations should adopt a multi-layered approach to malware protection, including:


1. Implementing Rules and Controls to Prevent Unauthorised Software

  • Utilising application allowlisting to permit only approved software (see ISO 27001 Controls 8.19 and 8.32).

  • Preventing the execution of unauthorised or potentially malicious software.


2. Blocking Malicious Websites and Content

  • Using blocklists to prevent access to known malicious websites.

  • Employing web filtering technologies to restrict harmful content.


3. Reducing System Vulnerabilities

  • Implementing a technical vulnerability management process (see ISO 27001 Controls 8.8 and 8.19).

  • Regularly patching operating systems and applications to mitigate known vulnerabilities.


4. Conducting Regular System Validations

  • Running automated scans to validate software integrity.

  • Investigating and mitigating unauthorised files or amendments.


5. Controlling File and Software Acquisition

  • Ensuring secure file transfer and software downloads.

  • Verifying sources before installing new software.


6. Deploying and Updating Malware Detection Tools

  • Installing and maintaining anti-malware software.

  • Running regular scans on:

    • Files received via network transfers or storage media.

    • Email attachments and instant messaging downloads.

    • Web pages before access.


7. Strategic Placement of Malware Detection Tools

  • Using a defence-in-depth approach, deploying anti-malware at:

    • Network gateways (email, file transfer, web traffic monitoring).

    • Endpoints such as user devices and servers.

  • Addressing evasive malware techniques, such as encrypted file-based threats.


8. Protecting Against Malware in Maintenance and Emergencies

  • Establishing strict protocols for software maintenance to prevent malware introduction.

  • Ensuring emergency procedures do not bypass security controls.


9. Managing Exceptions to Malware Protection Measures

  • Implementing a process for disabling malware protection when required.

  • Defining approval authorities, justification documentation, and review dates.


10. Preparing for Malware Incidents

  • Developing business continuity plans for malware recovery (see ISO 27001 Control 8.13).

  • Maintaining secure backups (online and offline) for recovery purposes.

  • Isolating high-risk environments where a malware outbreak could cause severe consequences.


11. Defining Responsibilities and Response Procedures

  • Establishing clear policies on malware protection.

  • Training employees on reporting and responding to malware threats.

  • Implementing incident response plans for malware-related breaches.


12. Enhancing User Awareness and Training

  • Educating users on how to identify and prevent malware infections.

  • Providing training on safe email and web practices (see ISO 27001 Control 6.3).

  • Keeping awareness materials up to date with current malware threats.


13. Staying Updated on Emerging Malware Threats

  • Subscribing to reputable threat intelligence sources.

  • Verifying malware alerts from trusted security vendors.


Challenges in Implementing Malware Protection

Some systems, such as industrial control systems (ICS), may not support traditional anti-malware solutions. In such cases, alternative protection methods should be considered, including:

  • Network segmentation.

  • Application control measures.

  • Monitoring system integrity.


Additionally, some malware infections compromise firmware and operating systems, requiring full reinstallation to restore security.


Conclusion

ISO 27001 Control 8.7 provides a structured approach to malware protection, emphasising a combination of technical controls, user awareness, and proactive defence measures. By implementing these best practices, organisations can effectively mitigate the risk of malware infections and maintain robust security resilience.


Adopting a layered security strategy, maintaining regular system updates, and fostering a culture of security awareness are key to defending against evolving malware threats. Ensuring compliance with Control 8.7 strengthens overall information security and supports ISO 27001 certification efforts.

Comments

About the author

Alan Parker is an IT consultant and project manager who specialises in IT governance, process implementation, and project delivery. With over 30 years of experience in the industry, Alan believes that simplifying complex challenges and avoiding pitfalls are key to successful IT management. He has led various IT teams and projects across multiple organisations, continually honing his expertise in ITIL and PRINCE2 methodologies. Alan holds a degree in Information Systems and has been recognised for his ability to deliver reliable and effective IT solutions. He lives in Berkshire, UK, with his family.

bottom of page