ISO 27001:2022 Annex A 8.23: The Complete Guide to Web Filtering
We have all been there. You click a link at work, maybe to check a sports score or buy a last-minute gift, and suddenly a screen pops up saying “Access Denied.” It can be annoying, sure, but in the world of information security, that pop-up is a silent guardian. This is the essence of ISO 27001:2022 Annex A 8.23.
Web filtering often gets a bad reputation as the “fun police” of the office, but its role in the modern ISO 27001 standard is critically important. It isn’t just about stopping employees from scrolling through social media when they should be working; it is about stopping hackers from walking right through your front door via a browser window.
Table of contents
What is Annex A 8.23?
In the 2022 update of the standard, Annex A 8.23 is a preventive control designed to manage which websites your users can access. The official definition revolves around managing access to external websites to reduce exposure to malicious content.
Think of the internet as a massive city. Some neighbourhoods are safe and productive. Others are riddled with crime, malware, and scams. Annex A 8.23 is your navigation system that automatically steers your employees away from the dangerous parts of town. By blocking access to known malicious sites, you are cutting off a primary vector for ransomware and phishing attacks.
Why is Web Filtering Critical for Security?
You might be thinking, “My team is smart; they won’t click on dodgy links.” Unfortunately, sophisticated attacks don’t rely on users being “dumb.” Drive-by downloads can infect a machine just by visiting a compromised legitimate website. This is where web filtering shines.
Implementing this control helps you achieve several key security objectives:
- Malware Prevention: It stops users from landing on sites known to host viruses, ransomware, or spyware.
- Phishing Protection: It blocks access to known phishing domains that try to steal credentials.
- Data Leakage Prevention: By blocking unapproved file-sharing sites, you prevent sensitive company data from being uploaded where it doesn’t belong.
- Legal Compliance: It prevents the viewing of illegal material on company property, which protects the organisation from liability.
For a deeper dive into how this fits into the wider framework of controls, resources like ISO27001.com offer a great overview of the complete Annex A list.
How to Implement Web Filtering
Implementing Annex A 8.23 doesn’t mean you have to manually approve every single website your staff visits. That would be a nightmare. Instead, you should rely on modern tools and categories.
1. Define Your Policy
Before you buy any software, you need to decide what is “acceptable.” This usually ties into your Acceptable Use Policy (AUP). Are social media sites allowed during lunch breaks? Are file-sharing sites banned entirely? You need clear rules so staff understand why the blocks are in place.
2. Use Automated Tools
Most organisations use firewall rules, DNS filtering services, or dedicated web proxies. These tools categorize the web into buckets like “Gambling,” “Adult,” “Hacking,” and “Malware.” You simply tick the boxes for the categories you want to block.
It is vital to subscribe to a service that updates its threat intelligence feeds in real-time. A static list of “bad sites” from 2020 is useless today.
3. Manage Exceptions
There will always be a legitimate reason to access a blocked site. Maybe your marketing team needs to access a specific social media platform, or a researcher needs to look at a site flagged as “games.” You need a clear, documented process for users to request access and for security teams to approve it safely.
Common Pitfalls to Avoid
Over-blocking: If you lock down the internet too tightly, you stop people from doing their jobs. This leads to frustration and “Shadow IT,” where employees switch to their personal 4G/5G hotspots to bypass your controls—leaving them completely unprotected.
Ignoring “Grey” Areas: It is easy to block porn and gambling. It is harder to decide on things like “Uncategorised” sites. Often, new malware sites appear as “Uncategorised.” A strict security posture blocks these, while a more relaxed one might allow them. You need to find the balance that fits your risk appetite.
Forgetting Remote Workers: If your web filter only works when people are in the office, you have a massive gap. With hybrid working, your web filtering solution needs to sit on the endpoint (the laptop itself) or be cloud-based so it follows the user wherever they go.
Conclusion
ISO 27001 Annex A 8.23 is not about being a dictator over browser history. It is a fundamental layer of defence. By filtering web traffic, you are essentially vaccinating your endpoints against the vast majority of internet-borne threats. Keep your rules up to date, keep your users informed, and ensure your filtering protects your staff regardless of where they are working.
