The basics
ISO 27001 control A.8.23 Web filtering requires companies to manage which websites their users are accessing in order to prevent their systems from being compromised by malicious code and prevent users from using illegal materials from the Internet. This is a completely new control in the 2022 revision of the standard.
Documentation
ISO 27001 control A.8.23 Web filtering can be documented:
- for smaller and mid-sized companies by writing a Security Procedures for IT Department
- for larger companies by writing a Web Filtering Policy
These documents are not mandatory, but are recommended.
Implementation
In order to comply with control A.8.23 Web filtering you might implement the following:
- Technology — the technology to enable web filtering would mainly be based on software (e.g., anti-malware software) that blocks access to particular IP addresses, but also can be a single list of forbidden websites and asking users not to visit them. Small companies may use lists and software solutions deployed on endpoint devices, while bigger companies may use specialized software that centralizes monitoring and analysis of network traffic.
- Organization/processes — you should set up a process for determining which types of websites are not allowed, and how the web filtering tools are maintained. You can document those processes through Security Procedures for IT Department or Web Filtering Policy.
- People — make employees aware of the risks of using the Internet and where to find guidelines for safe use, and train IT staff on how to perform web filtering.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.23 Web filtering: if access to external websites is controlled.
