Protection Against Malware - ISO 27001 Annex A Control

ISO 27001 Annex A 8.7

Malware is the most common technical threat - the protection has to cover every entry point.

ISO 27001 Annex A 8.7 - Protection Against Malware

Malware - viruses, ransomware, spyware, worms - remains the most common technical threat to most organisations. The control requires layered protection covering the multiple paths through which malware enters: email attachments, web downloads, removable media, software supply chain, and infected devices joining the network. No single layer catches everything, so multiple layers compensate for each other's gaps.

Endpoint protection (modern anti-malware combined with behavioural analysis) catches most known and novel threats on individual devices. Email security filters infected attachments and malicious links before they reach users. Web filtering blocks access to known malicious sites. Application control restricts what can execute. Each layer has its place in the overall picture.

User awareness sits alongside the technical controls. The most sophisticated email filter will not catch every phishing email; staff who know what to look for and report suspicious messages quickly are the human layer of defence. Training, exercises, and a culture that welcomes reporting are the practical mechanisms.

Coverage is what gets tested in audit. Anti-malware on every endpoint, with current definitions, with monitoring that confirms it is working, and with a process that handles devices reporting issues. Gaps in coverage - devices that have fallen out of management, definitions that are weeks old, alerts that nobody has acted on - are findings that hit the closing meeting.

The malware test that bites organisations is the one nobody planned for. A USB drive someone found in the car park. An email that looked exactly like the supplier's normal invoice. A piece of software downloaded from a site that looked legitimate. Layered controls plus alert staff catch most of these; missing either layer creates a real risk.

Practical Compliance Guidance

Malware protection is described in the IMS1 manual at section 8.3 on IT equipment alongside the wider information security arrangements. Endpoint management tooling provides the operational evidence.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
PP-8-100 Information Security Policy Procedure	Contains the Information Security Policy including the malware protection requirements. Use as the source for the policy baseline and staff awareness.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What products are typically used?

Modern endpoint detection and response (EDR) products combine traditional anti-malware with behavioural detection and incident response capabilities. The choice should reflect the size of the organisation, the sensitivity of the data and the available management capacity. The product is less important than coverage and active management.

How is staff awareness handled?

Through periodic training that covers current attack patterns (phishing, business email compromise, malicious attachments), supported by simulated phishing exercises and clear reporting mechanisms. The metrics from these exercises feed into the awareness arrangements under A.6.3.

What about ransomware specifically?

Ransomware protection combines the malware controls with strong backup arrangements (A.8.13), tested recovery procedures, network segmentation that limits spread, and incident response that detects encryption activity early. No single control prevents ransomware - the layered approach is what limits the damage.

Further Resources