What is ISO 27001:2022 Annex A 8.23 Web filtering in ISO 27001?
Annex A 8.23 Web filtering is a documented process. It manages access to external websites to protect the organisation. This control reduces risks from malicious software and inappropriate content. Implementation involves integrating filtering rules into business-as-usual tools like SharePoint and Jira. It ensures human oversight of web traffic.
Auditor’s Eye: The Shortcut Trap
Many organisations rely on automated SaaS dashboards to manage web filtering. These platforms often provide a false sense of security through automated ticks. Auditors prefer seeing evidence within your native document repositories. We want to see your specific policy in SharePoint. We look for the manual approval trail for exceptions in Jira. Relying on a black-box system leads to surface-level compliance. It often fails when staff cannot explain the logic behind blocked categories.
| 2013 Control | 2022 Control | Change Nature |
|---|---|---|
| N/A | Annex A 8.23 | This is a new control. It addresses modern web-based threats directly. |
How to Implement ISO 27001:2022 Annex A 8.23 (Step-by-Step)
Web filtering must be a managed process within your existing organisational tools. Do not treat it as a software installation. Follow these steps to ensure compliance.
- Draft a Web Usage Policy in SharePoint. Define which categories are blocked or permitted.
- Obtain management sign-off using SharePoint versioning and approval workflows.
- Establish a Jira project to handle user requests for blocked sites.
- Ensure every Jira ticket includes a business justification for the exception.
- Configure your filtering tool to match the approved SharePoint categories.
- Examine filtering reports monthly. Document these reviews in your internal wiki or meeting minutes.
- Update the block list as new threats appear. Record these changes in your change management log.
ISO 27001:2022 Annex A 8.23 Web filtering Audit Evidence Checklist
Focus on manual records and internal document versions. This proves human oversight and operational intent. Auditors look for the following items.
- The master Web Usage Policy stored in SharePoint.
- Jira tickets showing the full history of whitelist requests.
- Management approvals for specific site exceptions.
- Meeting minutes that discuss web security and filtering performance.
- Internal audit records verifying the filtering configuration.
Relational Mapping
Annex A 8.23 Web filtering links to several other ISO 27001 components:
- Clause 8.1 (Operational Planning): Directs the execution of web filtering.
- Annex A 8.7 (Malware Protection): Web filtering acts as a primary preventative control.
- Annex A 5.10 (Acceptable Use): Defines the rules users must follow online.
Auditor Interview
Auditor: How do you decide which websites to block?
Manager: We follow our Web Usage Policy in SharePoint. It lists prohibited categories like gambling and malware sites.
Auditor: Where can I see the approval for a recent unblocked site?
Manager: You can see the request in Jira ticket #452. The InfoSec lead provided the digital sign-off there.
Common Non-Conformities
| Failure Mode | Description | Corrective Action |
|---|---|---|
| Automated Complacency | Relying on software defaults without any internal review. | Record a manual review of filtering rules in SharePoint. |
| Informal Whitelisting | Staff unblocking sites after a verbal request. | Enforce a mandatory Jira workflow for all changes. |
| Lack of Policy | Filtering is active but no documented policy exists. | Publish a version-controlled policy in SharePoint. |
Frequently Asked Questions
What is the requirement for Annex A 8.23 Web filtering?
The Bottom Line: Annex A 8.23 requires organisations to manage access to external websites. This reduces exposure to malicious content and unauthorised web resources. You must document this process within your internal management system tools. This proves you have active control over web-based risks.
How do I manage web filtering exceptions?
The Bottom Line: Manage exceptions using a formal request and approval process in Jira. Technical staff should justify the need for access. Management must approve the risk before whitelisting any prohibited category. This creates a clear audit trail for any security deviations.
Does ISO 27001 require specific web filtering software?
The Bottom Line: ISO 27001 does not mandate specific software. It requires a managed process. You must show evidence of rules, reviews, and manual oversight within your organisational repositories. Auditors value your management records over the brand of software you use.