ISO 27001 A.8.23: Web filtering
What This Control Requires
Access to external websites shall be managed to reduce exposure to malicious content.
In Plain Language
Web-based attacks - phishing sites, drive-by downloads, malware distribution - remain one of the most common ways attackers get their initial foothold. This control (new in ISO 27001:2022) is about filtering access to external websites so your users are not one bad click away from a compromise.
Web filtering works through URL categorisation, reputation scoring, content inspection, and SSL/TLS inspection. The goal is to block known malicious sites while keeping the internet usable for legitimate work.
The trick is balance. Lock things down too aggressively and you frustrate people into finding workarounds (which are worse than no filtering at all). Focus on blocking genuinely dangerous categories and align the rest with your acceptable use policy.
How to Implement
Deploy a web filtering solution with URL categorisation and threat protection. Options include cloud-based secure web gateways (SWG), DNS-based filtering, on-premises web proxies, endpoint-based filtering, or browser security extensions. Whatever you choose, it must cover all users regardless of location - remote workers included.
Set up filtering policies that match your acceptable use policy. At minimum, block known malware and phishing sites, command-and-control domains, and newly registered domains (which are disproportionately used for attacks). Consider blocking or monitoring high-risk categories like file sharing sites, crypto mining sites, and anonymisation services.
Implement SSL/TLS inspection where legally and technically appropriate. Most malicious sites use HTTPS now, so without SSL inspection your filter is essentially blind to encrypted content. Work with legal to get the privacy considerations right and exempt sensitive categories (banking, healthcare) from inspection.
Make sure remote workers are covered. Cloud-based filtering that routes through a cloud proxy, DNS-based filtering that works on any network, or endpoint agents that function regardless of connection type all solve this problem.
Create a process for handling blocked-site requests. People will occasionally need access to something the filter catches. Give them a clear request mechanism, define an approval workflow that weighs risk against business need, and respond quickly. Slow responses drive workarounds.
Monitor and report on filtering activity. Track blocked requests by category and volume. Investigate patterns that suggest malware infections - repeated attempts to reach malicious sites are a red flag. Use the data to inform your security awareness training topics.
Evidence Your Auditor Will Request
- Web filtering solution deployment and configuration documentation
- Filtering policies showing blocked and allowed categories
- Coverage records showing filtering applies to all users including remote workers
- Blocked site exception request process and records
- Web filtering activity reports and trend analysis
Common Mistakes
- No web filtering solution deployed leaving users exposed to malicious sites
- Web filtering only covers on-premises users while remote workers are unprotected
- Filtering categories are too broad blocking legitimate business sites
- No SSL inspection meaning encrypted malicious traffic is not inspected
- No exception request process causing users to find workarounds to bypass filtering
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC6.8 | Partial overlap |
| NIS2 | Art.21(2)(d) | Partial overlap |
Frequently Asked Questions
Is this control new in ISO 27001:2022?
Should we implement SSL/TLS inspection?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment