ISO 27001 Annex A 8.7 is about protection against malware, which means when you think about protection against harmful software (malware), you should look at the whole picture, not just using antivirus programmes. Antivirus software is certainly important, but you also need to think about a few other things.
Table of contents
What Is Identity Management?
Identity management is a way to make sure that only the right people, systems, or devices can get to your data. It helps you keep track of who or what is on your network and what they are allowed to do. This rule is a way to prevent risks before they happen.
What is ISO 27001 Annex A 8.7?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Protection Against Malware”.
What is the ISO 27001 Annex A 8.7 control objective?
The formal definition and control objective in the standard is: “Protection against malware should be implemented and supported by appropriate user awareness.“
What is the purpose of ISO 27001 Annex A 8.7?
The purpose of ISO 27001 Annex A 8.7 is “To ensure information and other associated assets are protected against malware.“
Is ISO 27001 Annex A 8.7 Mandatory?
ISO 27001 Annex A control 8.7 (Protection Against Malware in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 8.7 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
Topic-Specific Policy
You should either write or find a specific written rule called a Protection Against Malware Policy. This tells everyone what the rules are for dealing with bad software.
Education
As part of your security lessons, you will teach and remind people about malware. This means telling them what it is, how to react if they see it, and generally how it can get into your systems.
Anti-Virus Software
This is one of the most important things you can do for security. It is simple to start. You should have anti-virus software running that automatically updates itself, gets the newest information on threats, checks your system often, fixes problems, and sends reports.
Website Approval Lists
The best way to manage risky or bad websites is to block access to them or control how people use them. You should think about using a list of approved websites (allowlisting) and tie this into your rules and training.
Email Protection
You should think about and use extra tools that help stop bad software from coming in through emails and that check emails for it. Use these tools wherever you can.
Business Recovery
Having a plan to continue your business and recover if a problem happens is a key part of the ISO 27001 rule set. This acts as a backup if your other protection fails. The basic rule here is that you need to have a plan and you must test it.
Threat Information
Because of the new rule in ISO 27001 (clause 5.7) about threat information, you should find and use news and reports about new malware threats. You must add this to your plans for managing risks so you can always be improving how you stop those threats.
Technical Checking
Good technical checking is also part of the rules and is connected to stopping malware. You do this by removing computer programs or services you do not need, blocking the ones you cannot remove, and having clear rules for managing your computer systems.
