Web Filtering - ISO 27001 Annex A Control

ISO 27001 Annex A 8.23

Most malware enters through the browser - filter what staff can reach.

ISO 27001 Annex A 8.23 - Web Filtering

Web browsing is one of the most common paths for malware to enter the organisation - drive-by downloads from compromised sites, phishing pages collecting credentials, command-and-control traffic from compromised endpoints reaching back to attackers. The control asks for web access to be filtered so that staff are protected from the most obvious risks.

Web filtering typically combines category-based filtering (blocking known malicious or inappropriate categories), reputation-based filtering (blocking sites with poor reputation regardless of content), and content inspection (scanning content for malicious indicators). Cloud-based web security services have largely replaced on-premises web proxies for most organisations.

Filtering needs to balance protection with usability. Over-aggressive filtering blocks legitimate work and drives staff to workarounds (personal devices, mobile networks). Tuning the rules to the actual operational pattern of the organisation maintains protection without becoming an obstacle to work.

Web filtering also produces useful telemetry beyond blocking. Patterns of blocked sites, repeat attempts from particular endpoints, and unusual destinations all contribute to the wider monitoring picture. Where the filter is integrated with the rest of the security stack, the data flows into the SIEM and supports detection of the wider patterns.

Practical Compliance Guidance

Web filtering arrangements are described in the IMS1 manual at section 8.3 on IT equipment alongside the wider information security arrangements. Web filter configuration and reports provide the operational evidence.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the Information Security Policy including the rules for web access. Use as the source for the policy that the filter enforces.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What categories should typically be blocked?

Known malicious sites, phishing pages, command-and-control infrastructure, and pirated content sites are typical baseline blocks. Beyond that, organisations vary - some block social media, gambling, and adult content as a matter of policy; others rely on acceptable use rules with technical filtering reserved for security risks. The policy should set the position.

How are exceptions handled?

Through a defined process - business case for the access, time-limited approval, and review of whether the access is still needed. Exception processes prevent the rules from becoming so restrictive that staff route around them, while keeping a record of what has been authorised and why.

Does this apply to home and remote working?

Modern web filtering services typically follow the user rather than relying on network location, so they continue to apply when staff work from home, on mobile networks or in public wifi. Where filtering only applies on the corporate network, the protection is reduced for remote work and the gap should be addressed.

Further Resources