ISO 27001:2022 Annex A Control 8.7

Protection Against Malware

Book a demo

group,of,happy,coworkers,discussing,in,conference,room

Purpose of ISO 27001:2022 Annex A 8.7

Malware is the one of the greatest menaces to business continuity and data security in the digital age.

The global business world confronts countless daily dangers from a vast array of attack vectors aiming to gain access to confidential systems and data without permission, extract data and money, deceive unsuspecting personnel and use ransomed data to demand large ransoms.

Secure malware protection should be a priority when creating an information security policy. It is essential that organisations take steps to safeguard against malicious software.

ISO 27001:2022 Annex A 8.7 outlines a range of measures to educate personnel on the risks of malicious software and implement effective preventative measures to protect against internal and external threats, thus avoiding disruption and data loss.

Ownership of Annex A 8.7

Malware protection is a broad subject, encompassing multiple business functions with varying degrees of risk and numerous ISO controls. As such, responsibility for ISO 27001:2022 Annex A 8.7 should be given to the Chief Information Security Officer, or equivalent. ICT admin staff and standard users must take practical steps to protect against malware.

Jump to Topic

Guidance on ISO 27001:2022 Annex A 8.7 Compliance

Annex A 8.7 requires companies to execute a malware defence that encompasses four main aspects:

  1. Controlled systems and account access.

  2. Change management.

  3. Anti-malware software.

  4. Organisational information security awareness (user training).

ISO cautions against believing that anti-malware software is enough to provide a secure environment. ISO 27001:2022 Annex A 8.7 calls for organisations to adopt an end-to-end strategy against malware, one that begins with educating users and culminates in a secure network that minimises the possibility of intrusion from a multitude of attack sources.

Organisations should take measures to achieve their goal, including:

  • Discourage the employment of unapproved software (consult Annex A 8.19 and Annex A 8.32).

  • Stop access to malicious or unsuitable sites.

  • Reduce the number of susceptibilities existing on their network which could be taken advantage of by malware or individuals with ill intentions (observe Annex A 8.8 and Annex A 8.19).

  • Conduct frequent software assessments to detect unauthorised software, system modifications, and/or data on the network.

  • Secure data and applications with minimal risk, through internal or external acquisition.

  • Organisations should implement a malware detection policy that involves regular and comprehensive scans of all pertinent systems and files, tailored to each area’s distinct risks. A ‘defence in depth’ approach including endpoint devices and gateway controls should be adopted, accounting for numerous attack vectors (e.g. ransomware).

  • Ward off intrusions originating from emergency protocols and procedures – particularly when there is an incident or high-risk maintenance activities.

  • Draft a process that enables technical staff to deactivate some or all anti-malware efforts when they impede the organisation’s operations.

  • Implement a sturdy backup and disaster recovery (BUDR) plan that facilitates the organisation’s resumption of operations at the earliest opportunity, post disruption (see Annex A 8.13). This should comprise procedures for software that cannot be safeguarded by anti-malware software (e.g. machinery software).

  • Divide the network and/or digital and virtual working spaces into sections to prevent catastrophic damage should an attack occur.

  • Furnish all personnel with anti-malware training to raise their understanding of a large collection of topics, including (but not restricted to):

    • Email security

    • Installing malicious software

    • Social engineering

  • Gather information on the newest advancements in malware security pertaining to the industry.

  • Ensure that all notifications regarding potential malware assaults (notably from software and hardware suppliers) come from a reliable source and are precise.

Accompanying Annex A Controls

  • ISO 27001:2022 Annex A 8.13

  • ISO 27001:2022 Annex A 8.19

  • ISO 27001:2022 Annex A 8.32

  • ISO 27001:2022 Annex A 8.8

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 8.7 supersedes ISO 27001:2013 Annex A 12.2.1 (which addressed controls against malware).

ISO 27001:2022 Annex A 8.7 is similar to ISO 27001:2013 Annex A 12.2.1, but some of the additional advice has been given a higher priority, considering its significance for firms’ anti-malware programmes. Specifically, it includes:

  • Ensuring safety against malware during maintenance periods is essential.

ISO 27001:2013 Annex A 12.2.1 requests organisations to think about utilising two different anti-malware platforms, while ISO 27001:2022 Annex A 8.7 is content with a single integrated solution.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2		Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1		Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2		Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3		Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3		Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2		Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3		Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6		Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2		Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3		Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5		Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3		Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3		Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6		Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
 Annex A 11.2.5		Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8		User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3		Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3		Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2		Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2		Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3		Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9		Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6		Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4		Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How ISMS.online Help

Our platform gives you customisable dashboards that grant you real-time understanding of your compliance standing.

You can oversee and control the entirety of your ISO 27001:2022 conformance from one location, including audit management, gap analysis, training management, risk assessment, and more.

This comprehensive platform offers a simple and integrated solution that can be utilised around the clock from any device connected to the internet. It facilitates a seamless and secure collaboration among employees to monitor security risks and keep track of the organisation’s progress in attaining ISO 27001:2022 certification.

Contact us now to arrange a demonstration.

See our platform
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Take 30 minutes to see how ISMS.online saves you hours (and hours!)

Book a meeting

ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more