A.8.7 ISO 27001

ISO 27001 A.8.7: Protection against malware

What This Control Requires

Protection against malware shall be implemented and supported by appropriate user awareness.

In Plain Language

Ransomware alone has shut down hospitals, halted manufacturing lines, and bankrupted small businesses. Malware - viruses, worms, trojans, ransomware, spyware - remains one of the most common and destructive threats you face, regardless of your organisation's size.

Effective protection needs multiple layers: preventive controls to block malware from getting in, detective controls to spot what slips through, and responsive controls to contain and remove infections. No single tool covers all of this.

The standard explicitly calls out user awareness alongside technical controls, and for good reason. Most malware enters through phishing emails, dodgy downloads, and social engineering. Your people are both the weakest link and your best early warning system, depending on how well they are trained.

How to Implement

Deploy modern endpoint protection on every device that touches organisational data. You need next-generation antivirus with behavioural analysis (not just signature matching), EDR for investigation and response, anti-ransomware capabilities with rollback, web filtering for malicious sites, and email security for malicious attachments and links.

Add network-level protection. Set up email gateway security to scan incoming messages and attachments. Use a web proxy or DNS filtering to block known-malicious sites. Deploy network intrusion detection and prevention. Consider sandboxing technology to detonate suspicious files safely before they reach users.

Keep your protection current and properly configured. Enable automatic updates for all protection software and signature databases. Configure real-time scanning of everything accessed, downloaded, or executed. Turn on cloud-based threat intelligence for the latest protection. Make sure detection alerts actually reach someone who will act on them. Test your setup regularly with EICAR test files.

Shrink the attack surface with technical controls. Use application whitelisting to block unauthorised software. Disable macros in documents from external sources or require explicit user confirmation. Restrict removable media. Implement SPF, DKIM, and DMARC to reduce email spoofing. Block risky file types at the email gateway.

Invest in user awareness. Train people to recognise phishing and social engineering. Run regular phishing simulations and give feedback. Educate on the risks of downloading from untrusted sources. Make reporting suspected malware easy and encouraged, not punished.

Prepare for when malware gets through anyway. Develop specific response procedures for outbreaks, especially ransomware. Maintain tested backups on air-gapped or immutable storage that ransomware cannot touch. Define clear criteria for isolating infected systems and communication procedures during incidents.

Evidence Your Auditor Will Request

Endpoint protection deployment records showing coverage across all devices
Malware protection configuration including real-time scanning and automatic updates
Email gateway and web filtering configuration and detection reports
User awareness training records covering malware and phishing topics
Malware incident response procedures and recent incident handling records

Common Mistakes

Not all endpoints have active and up-to-date malware protection
Endpoint protection relies solely on signature-based detection without behavioral analysis
Email gateway does not scan or filter malicious attachments effectively
Users are not trained to recognize phishing and social engineering attempts
Backups are not protected against ransomware and could be encrypted in an attack

Related Controls Across Frameworks

Framework	Control ID	Relationship
SOC 2	CC6.8	Equivalent
SOC 2	CC7.1	Related
GDPR	Art.32	Related
NIS2	Art.21(2)(d)	Related

Frequently Asked Questions

Is traditional antivirus sufficient for malware protection?

Not anymore. Signature-based antivirus misses polymorphic malware, zero-day exploits, and fileless attacks completely. You need next-generation endpoint protection with behavioural analysis, machine learning, and EDR capabilities. Then layer email security, web filtering, and application control on top for proper defence in depth. Think of traditional antivirus as a locked front door - necessary but useless if the attacker climbs through the window.

How do we protect against ransomware specifically?

The single most important thing is immutable or air-gapped backups that are tested regularly. If ransomware hits and your backups are safe, you can recover without paying. Beyond that, layer your defences: email filtering to block common delivery methods, endpoint protection with anti-ransomware features, network segmentation to limit lateral movement, privileged access management so attackers cannot gain admin rights, user awareness training on phishing, and a tested incident response plan with ransomware-specific procedures.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment