If employees visit websites with malicious content, this may expose corporate networks and information systems to security risks such as malware attacks.
For example, cyber attackers may send a phishing email to an employee’s work email, persuade him to click on a link, and visit a website. When the employee visits this website, they may automatically upload malware on the employee’s device and then infiltrate into corporate networks. This type of attack is called drive-by download and it automatically downloads malware once an employee visits a website.
Therefore, organisations should put in place appropriate web filtering controls to restrict and control access to external websites and prevent security threats.
Control 8.23 enables organisations to eliminate security risks such as malware infection that may arise as a result of access to external websites with malicious content.
Control 8.23 is a preventive type of control that requires organisations to put in place appropriate access controls and measures to prevent access to malicious content on external websites.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #System and Network Security | #Protection |
Considering that 8.28 involves identification of high-risk external websites and design and implementation of appropriate access and web filtering controls, the chief information security officer should be responsible to take appropriate steps for compliance.
Organisations should establish and implement necessary controls to prevent employees from accessing external websites that may contain viruses, phishing materials, or other types of illegal information.
One effective technique to prevent access to dangerous external websites is blocking the IP address or domain of websites identified as dangerous. For instance, some browsers and anti-malware tools enable organisations to do this automatically.
Control 8.23 notes that organisations should determine which types of websites should not be accessed by employees.
In particular, the following types of websites should be blocked:
Before designing and implementing this Control, organisations are advised to put in place rules for safe and appropriate access to and use of online resources. This should also include imposing restrictions on websites that contain inappropriate materials.
These rules should be reviewed and updated at regular intervals.
Control 8.23 requires that all staff should be provided with training on how to access and use online resources safely.
This training should cover the organisation’s own rules and should address how staff can raise his/her security concerns by contacting the relevant individual within the organisation.
Furthermore, training should also address how staff can access restricted websites for valid business reasons and how this exception process works for such access.
Last but not the least, training should address browser advisory that warns users that a website is not secure but that permits users to proceed. Staff should be instructed not to ignore such warnings.
There is a variety of web filtering techniques such as:
27002:2022/8.23 is a new type of control.
You can monitor and manage all aspects of your ISO 27002 compliance journey from one place – audit management, gap analysis, training management, risk assessment etc.
It provides an easy-to-use, integrated solution that can be accessed on a 24/7 basis via any device with an internet connection. The platform allows all employees to work together seamlessly and securely to manage security risks and track the organisation’s compliance, as well as the journey towards ISO 27001 certification.
Get in touch today to book a demo.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
