top of page
Search

ISO27001:2002 A8.7 – Protection against malware




Malicious software and malicious, bad actors are now a fact of life. That’s why this ISO27001 control is so important. Being able to protect against malware has become increasingly important with the increase in malicious threats, but also in the use, and diversity of platforms.

 

But this ISO27001 control isn’t only about the technical controls you can install. In fact, the strongest form of defence is often cited as being the weakest link.

 

What does the standard require?

The standard states that “Protection against malware shall be implemented and supported by appropriate user awareness.” (A8.7 – Protection against malware)

 

Why is this required?

Malicious software, aka Malware, is a broad term which encompasses WORMs, Trojan horses, viruses, Spyware, and the more common, Ransomware.  The difference between each of these is the topic for another blog, but what you need to know is that each of them is intended to do you harm in some way.

 

From taking down your system which can cause business disruption, to stealing your data , which can cause a data breach. Malware is a disruptive force that can have a negative impact on your business and your reputation.

 

We worked with a business that had been hit with malicious software.  The Ransomware that infected their network locked all their files in an impenetrable digital box, meaning they couldn’t work.  It took several weeks to re-constitute the data from inboxes, and physical documents.  The business disruption cost the company a great deal of time and money, and a number of clients took their orders to competitors. 

 

The company in question manufactured Jam.  The ingredients, the orders, and the supplier details were all lost in the attack, but thankfully recovered from backup files. However, the disruption was painful to experience and lessons were learned.


Neglecting this ISO27001 control could leave you vulnerable to significant security risks and financial repercussions.


What the auditor is looking for

For this ISO27001 control, the auditor will look for evidence of both technical and operational security measures, including;

 


 

What do you need to do?

Speak to your IT support team to understand how malware protection measure have been implemented.  This might include software tools installed on end-point devices, email and web filtering tools, acceptable use policies (e.g. preventing the use of USB drives), and patch management processes. All these measures together provide a multi-layered approach to protecting your business.

 

Ask for metrics on malware infections and attempts to infiltrate your networks so that you can see what risks your are faced with. This is also important when looking at trend analysis.

 

Take a look at each of the areas above and consider which are of critical importance to you, and add any missing aspects, to your risk register.

 

Remember that this control requires you to support any implemented malware protection with appropriate user awareness.  This can be as simple as educating users on the risks associated to phishing emails, through to more detailed training and education on what to do if an incident occurs.

 

Following on from this, if you haven’t already addressed the matter of Incident Response and Business Continuity Plans, then you should take a close look at the ISO27001 Annex A control (A5.26 - Response to information security incidents). Walking through how you would respond to a malware infection is a great way to test your plans with your senior leadership team, so run a table-top exercise to find issues that you weren’t aware of.

 

Noting that the awareness should be appropriate, it helps to consider what level of awareness you need for different people across your business.

 

Difficulty rating

We rate this a 2.5 out of 5 difficulty rating. This control can be technical in nature as you’ll need to understand the various kinds of malware that present a risk to your business. It also requires that you have an understanding of how malware could be introduced into your business.

 

Q&A

Are there any specific malware protection tools we would recommend?

We wouldn’t recommend one breed of software protection over another, as this can become a contentious topic. Most people will have some experience with malware protection, so canvas those in your business to understand what they would use.

 

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

 

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.

3 views

Comments


bottom of page