Implementing Web Content Filters for Safety
Web filters help block harmful content from the internet.
Plain language
Web content filtering involves setting up systems to block or limit access to certain types of online content that could be harmful, like malicious websites or inappropriate material. This matters because without filtering, people might accidentally access harmful or illegal sites, leading to security breaches or reputational damage for your organisation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Official control statement
Web content filtering is implemented to filter potentially harmful web-based content.
Why it matters
Without web content filtering, users may access phishing or malware sites, causing credential theft, malware infection, and data breaches.
Operational notes
Maintain category/URL rules and reputation feeds, test blocked/allowed lists, and review filter logs to tune policies and reduce bypass attempts.
Implementation tips
- Managers should consult with the IT team to determine which categories of web content need to be filtered, such as sites known for malware or adult content. Discuss what types of content could be harmful to your organisation's operations and reputation.
- HR should establish clear policies outlining acceptable internet use to align with the web filtering solution. Communicate these policies during training sessions and ensure employees know who to contact if they accidentally encounter restricted content.
- Procurement should source and fund the web filtering solution. Obtain quotes, assess the compatibility with existing systems, and factor in any ongoing subscription or maintenance costs. Ensure the selection aligns with security standards set by the Australian Cyber Security Centre (ACSC).
- System owners should regularly review and update the web filter categories. Schedule periodic reviews with the IT team to adjust settings based on evolving threats and operational needs, ensuring the filters remain effective as part of your overall security strategy.
Audit / evidence tips
- AskThe list of filtered web content categories: Request a document or dashboard screenshot showing which types of content are currently blocked by the web filtering system GoodIncludes up-to-date categories tailored to the organisation's needs and security policy
- AskEvidence of web filtering policy communication: Request records of training sessions or communication methods used to inform staff about web filtering policies GoodShows consistent communication and training records
- AskThe IT team to show how the filtering is implemented on their system GoodDemonstration shows the system filtering effectively and the team's understanding of its operation
- AskSystem logs or reports: Request logs or reports that detail blocked attempts or access attempts to restricted content GoodWill show regular monitoring and adjustments based on these reports
- AskTo see the review and update schedule: Request the schedule document that outlines how often the web filtering categories and the system configuration are reviewed GoodIncludes a schedule with dates for future reviews and evidence of past reviews
Cross-framework mappings
How ISM-0963 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| Annex A 8.23 | Annex A 8.23 requires organisations to manage access to external websites to reduce exposure to malicious content | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-AH-ML1.3 | E8-AH-ML1.3 requires preventing web browsers from processing internet-served advertisements | |
| sync_alt Partially overlaps (1) expand_less | ||
| E8-AH-ML1.2 | ISM-0963 requires organisations to implement web content filtering to block potentially harmful web-based content | |
| handshake Supports (1) expand_less | ||
| E8-RA-ML1.3 | E8-RA-ML1.3 requires preventing privileged accounts from accessing internet, email and web services except where authorised | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.