If you have been familiar with ISO 27001 for a while, you probably remember the 2013 version as a solid, if slightly aging, framework. However, the release of the 2022 update brought some major shifts to the table. One of the most talked-about additions is Annex A 8.23: Web Filtering. While it might sound like a basic IT task, its inclusion as a formal control marks a significant evolution in how the standard views modern web threats.
In the 2013 version, there was no direct equivalent to this control. To understand what has changed, we have to look at how ISO 27001 has pivoted from “managing IT” to “proactive threat prevention.”
Table of contents
A Brand New Control for a Modern Era
The most important thing to know about Annex A 8.23 is that it is entirely new. In the ISO 27001:2013 standard, you won’t find a control specifically dedicated to web filtering. Back then, protecting users from the web was often loosely covered under general malware protection (12.2.1) or acceptable use policies.
In the 2022 update, web filtering has been promoted to its own dedicated “Technological” control. This change reflects the reality of the 2020s: the majority of malware, phishing, and ransomware attacks now originate from the web. As noted by Hightable.io, the goal of 8.23 is to reduce the organisation’s exposure to malicious content by managing which external websites users can access.
What the 2022 Version Now Requires
Since this wasn’t a formal requirement in 2013, organisations transitioning to the 2022 version need to build a process from scratch or formalise their existing informal setups. Annex A 8.23 isn’t just about “blocking Netflix”; it’s a security-first requirement. The standard now expects you to:
- Manage Access to External Sites: You must have a technical way to restrict access to websites that are known to be malicious or that violate your company policy.
- Implement Rules-Based Filtering: This can be done by blocking specific categories (like “Gambling” or “Adult Content”) or by using “allowlists” for high-security environments.
- Handle Encrypted Traffic: Modern web filtering needs to account for HTTPS. If your filter can’t see the traffic because it’s encrypted, you might be missing threats.
- Establish an Exception Process: You can’t just block everything. There must be a documented way for users to request access to a blocked site if they have a legitimate business need.
The Shift from “HR Policy” to “Technical Security”
Under the old 2013 mindset, web filtering was often viewed through the lens of productivity, making sure staff weren’t wasting time on social media. The 2022 version shifts this firmly into the Technological theme. It is now categorized as a Preventive control.
According to Hightable.io, auditors are no longer looking for just a line in an employee handbook that says “don’t visit bad sites.” They are looking for technical evidence that a filtering tool is in place, that it is being updated regularly with new threat signatures, and that there are logs showing the system is working. This is a much higher bar for evidence than what was required in the 2013 era.
Why This Change Matters for Your Audit
If you are transitioning your Statement of Applicability (SoA) from 2013 to 2022, Annex A 8.23 will likely be one of the “gaps” you need to fill. Because it’s a new control, you can’t simply “map” it from an old one. You will need to show the auditor:
- Your Web Filtering Policy: Which categories are blocked and why?
- The Tooling: What software or hardware (like a DNS filter or a Secure Web Gateway) are you using to enforce the rules?
- Operational Records: Logs of blocked attempts and records of the exception process being used.
Conclusion: Bridging the Gap
The addition of Annex A 8.23 Web Filtering is a clear sign that ISO 27001 is keeping pace with the way we work today. Between 2013 and 2022, the web became the primary vector for cyberattacks, and the standard has adjusted accordingly. By implementing robust web filtering, you aren’t just ticking a new box for your auditor; you are closing a major door that attackers use to enter your network.
If you’re currently working on your transition, resources like Hightable.io can provide templates and guidance to help you stand up this new control without disrupting your team’s workflow.