Understanding ISO 27002 Control 8.23: Web Filtering for Cybersecurity
If employees visit websites with malicious content, this may expose corporate networks and information systems to security risks such as malware attacks.
For example, cyber attackers may send a phishing email to an employee’s work email, persuade him to click on a link, and visit a website. When the employee visits this website, they may automatically upload malware on the employee’s device and then infiltrate into corporate networks. This type of attack is called drive-by download and it automatically downloads malware once an employee visits a website.
Therefore, organisations should put in place appropriate web filtering controls to restrict and control access to external websites and prevent security threats.
Purpose of Control 8.23
Control 8.23 enables organisations to eliminate security risks such as malware infection that may arise as a result of access to external websites with malicious content.
Attributes Table of Control 8.23
Control 8.23 is a preventive type of control that requires organisations to put in place appropriate access controls and measures to prevent access to malicious content on external websites.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality | #Protect | #System and Network Security | #Protection |
| #Integrity | ||||
| #Availability |
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
Ownership of Control 8.23
Considering that 8.28 involves identification of high-risk external websites and design and implementation of appropriate access and web filtering controls, the chief information security officer should be responsible to take appropriate steps for compliance.
General Guidance on Compliance
Organisations should establish and implement necessary controls to prevent employees from accessing external websites that may contain viruses, phishing materials, or other types of illegal information.
One effective technique to prevent access to dangerous external websites is blocking the IP address or domain of websites identified as dangerous. For instance, some browsers and anti-malware tools enable organisations to do this automatically.
Control 8.23 notes that organisations should determine which types of websites should not be accessed by employees.
In particular, the following types of websites should be blocked:
- Websites with information upload functionality. Access should be subject to permission and should only be granted for valid business reasons.
- Websites that are known or suspected to contain malicious material, such as websites with malware content.
- Command and control servers.
- Malicious websites obtained from threat intelligence. Organisations should refer to Control 5.7 for more details.
- Websites distributing illegal content and materials.
Before designing and implementing this Control, organisations are advised to put in place rules for safe and appropriate access to and use of online resources. This should also include imposing restrictions on websites that contain inappropriate materials.
These rules should be reviewed and updated at regular intervals.
Supplementary Guidance on Staff Training
Control 8.23 requires that all staff should be provided with training on how to access and use online resources safely.
This training should cover the organisation’s own rules and should address how staff can raise his/her security concerns by contacting the relevant individual within the organisation.
Furthermore, training should also address how staff can access restricted websites for valid business reasons and how this exception process works for such access.
Last but not the least, training should address browser advisory that warns users that a website is not secure but that permits users to proceed. Staff should be instructed not to ignore such warnings.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Supplementary Guidance on Control 8.23
There is a variety of web filtering techniques such as:
- Heuristics.
- Signatures.
- List of prohibited and acceptable websites.
- Domain configuration.
Changes and Differences from ISO 27002:2013
27002:2022/8.23 is a new type of control.
New ISO 27002 Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | NEW | Threat intelligence |
| 5.23 | NEW | Information security for use of cloud services |
| 5.30 | NEW | ICT readiness for business continuity |
| 7.4 | NEW | Physical security monitoring |
| 8.9 | NEW | Configuration management |
| 8.10 | NEW | Information deletion |
| 8.11 | NEW | Data masking |
| 8.12 | NEW | Data leakage prevention |
| 8.16 | NEW | Monitoring activities |
| 8.23 | NEW | Web filtering |
| 8.28 | NEW | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | NEW | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
How ISMS.online Helps
You can monitor and manage all aspects of your ISO 27002 compliance journey from one place – audit management, gap analysis, training management, risk assessment etc.
It provides an easy-to-use, integrated solution that can be accessed on a 24/7 basis via any device with an internet connection. The platform allows all employees to work together seamlessly and securely to manage security risks and track the organisation’s compliance, as well as the journey towards ISO 27001 certification.
Get in touch today to book a demo.
