Malware has evolved rapidly since the 2013 version of ISO 27001 was released. Back then, “antivirus” was often seen as a set-it-and-forget-it tool. Today, we face ransomware, fileless malware, and sophisticated phishing campaigns that can bypass traditional signatures. To address this, the 2022 update transformed the old Control 12.2.1 into Annex A 8.7: Protection Against Malware.
This update isn’t just a renumbering exercise; it’s a strategic shift toward “Defence in Depth.” The new standard expects you to move beyond simple software installation and toward a proactive environment where technology, people, and processes work together to catch threats before they can cause damage.
Table of contents
The Structural Evolution: From 12.2.1 to 8.7
In the 2013 version, malware protection lived in Domain 12 (Operations Security). In the 2022 revision, the 114 controls were condensed into 93 and grouped into four themes. Annex A 8.7 now sits within the Technological Controls theme.
According to Hightable.io, this move highlights that while malware protection involves people and policies, the “teeth” of the control must be technical. For organisations transitioning their Statement of Applicability (SoA), this means moving from a compliance mindset of “do we have a policy?” to “how does our technology actively enforce this?”
What is Annex A 8.7 Protection Against Malware?
The objective of Annex A 8.7 is to ensure that information and other associated assets are protected against malicious software. It requires organisations to implement a combination of preventative, detective, and corrective measures, supported by appropriate user awareness.
The 2022 standard defines a more holistic strategy, including:
- Detection and repair software (Antivirus/EDR).
- Security awareness training for staff.
- Restricting unauthorised software installations.
- Filtering of emails and web traffic.
Key Changes and New Requirements in the 2022 Version
While the 2013 version laid the foundation, the 2022 update introduces several modern nuances that reflect today’s threat landscape:
- Focus on Active Monitoring: The 2022 version places a much higher value on real-time detection. It’s no longer enough to have a weekly scan; the standard looks for “always-on” monitoring and rapid response capabilities.
- The Human Firewall: Annex A 8.7 explicitly links malware protection to user awareness. It acknowledges that most malware is “invited in” via phishing or shadow IT, so training is now a core requirement of this specific control.
- Consolidated Guidance: The 2022 version is more flexible. For instance, while the 2013 version sometimes suggested using two different anti-malware vendors to increase detection, the 2022 version is satisfied with a single, highly integrated solution that provides broad coverage.
- Web and Email Filtering: The new guidance specifically points to blocking access to malicious websites and scanning attachments as critical preventative steps, rather than just optional “extras.”
The Role of Attributes in Annex A 8.7
A major feature of the ISO 27001:2022 update is the introduction of “Attributes.” For Annex A 8.7, these metadata tags help categorise the control’s function:
| Attribute | Value |
|---|---|
| Control Type | Preventative, Detective, Corrective |
| Security Properties | Confidentiality, Integrity, Availability |
| Cybersecurity Concepts | Protect, Detect, Respond |
| Operational Capabilities | Information Protection, IT Operations Security |
Practical Steps for Compliance
Transitioning to the 2022 standard requires moving toward a more transparent, owner-led security model. Hightable.io emphasises that during a transition audit, you should be prepared to show live evidence that your protections are active across all endpoints.
- Deploy Modern Endpoint Protection: Move from basic antivirus to Endpoint Detection and Response (EDR). You need to prove that 100% of your devices have checked in and are updated.
- Restrict Administrative Rights: One of the best ways to satisfy A 8.7 is to remove local admin rights from standard users, preventing the unauthorised installation of potentially malicious software.
- Automate Your Scanning: Ensure that system scans and definition updates happen automatically. Manual updates are a major red flag for auditors.
- Document Your Response: When malware is detected, how do you handle it? Your incident response plan should have a specific, tested workflow for isolation and recovery.
Why the Change Matters
The 2022 update to Annex A 8.7 is a response to the “Zero Trust” era. In 2013, the goal was to keep malware off the network. In 2022, the goal is to assume malware might get in and ensure you have the detective and corrective controls to stop it from spreading. By aligning with this new standard, you are building a resilient “fortress” that combines technological strength with a highly aware workforce.
Final Thoughts on the Transition
The move from 12.2.1 to 8.7 is a welcome shift toward practical, modern security. While the 2013 version could be satisfied with a simple checkmark, the 2022 version invites you to look at your “Defence in Depth” strategy. As Hightable.io points out, the key is to ensure no malware defence runs without evidence of its activity and clear ownership.