The basics
ISO 27001 control A.8.7 Protection against malware requires companies to implement anti-malware solutions and support their use by making users aware of why they are important and how to use them. This control is important because it reduces the amount of viruses and other malware that could be downloaded to devices and virtual servers.
Documentation
ISO 27001 control A.8.7 Protection against malware can be documented:
- for smaller and mid-sized companies by by writing Security Procedures for IT Department
- for larger companies by writing an Anti-malware Policy
These documents are not mandatory, but are recommended.
Implementation
In order to comply with control A.8.7 Protection against malware you might implement the following:
- Technology — the technology to enable protection against malware in most cases will be already available in the company (e.g., antivirus and anti-spam software or service). Small companies may rely on standalone versions of this software, while bigger companies will need to use corporate versions where updates and monitoring can be performed in a centralized manner.
- Organization/processes — you should set up a process for installing and configuring anti-malware, and define what users can and can’t do regarding anti-malware installed on their workstations. You can document those processes through Security Procedures for IT Department or an IT Security Policy.
- People — make employees aware of why keeping anti-malware software active and updated on their workstations is needed, and train IT staff on how to install, configure, and keep them up to date.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.7 Protection against malware: if the protection against malware is implemented and supported by means of user awareness.
