Implement Web Content Filters for Outbound Traffic
Use web filters on outgoing internet traffic to block unsuitable content where necessary.
Plain language
Web content filters are like security guards for your internet. They keep an eye on what information travels from your organisation to the web, blocking harmful or inappropriate content. Without these filters, your business could be at risk of security breaches, employee misuse, or legal issues.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Web content filtering is applied to outbound web traffic where appropriate.
Why it matters
Without outbound web content filtering, organisations risk data exfiltration, malware downloads and policy breaches, causing financial loss and reputational harm.
Operational notes
Review filter categories and proxy rules regularly, tune allow/deny lists, and monitor logs for bypass attempts. Enable SSL inspection only where approved and documented.
Implementation tips
- IT Team: Install web filtering software on your network to automatically block access to harmful websites. Ensure it is configured to recognise and filter out inappropriate content categories like gambling, adult content, or known cyber threat sites.
- Procurement: Work with your IT team to select a web filtering service that is cost-effective and aligns with the needs of your organisation. Compare different providers' features, ease of use, and support offerings to make an informed decision.
- Senior Management: Communicate the importance of web content filters to staff through a formal policy and regular training sessions. Explain how these filters protect the organisation and why certain websites may be blocked.
- HR: Collaborate with IT to ensure that employee guidelines on acceptable internet use are clear and that disciplinary actions for breaches are well-defined. Regularly update these documents and share them with all staff.
- IT Team: Regularly review and update the filter settings to adapt to new threats and company policies. Develop a routine check-up schedule to ensure the filtering software is running effectively and efficiently.
Audit / evidence tips
-
Askthe web filtering policy document: Request a copy of the formal policy detailing web filtering practices
Goodshows a comprehensive list of blocked categories with clear explanations
-
Aska demonstration of the web filtering system: Request to see the software in action blocking inappropriate websites
Gooddemonstration shows active, effective blocking and categorisation
-
Askuser access logs from the web filter: Request logs that show blocked attempts to access unsuitable websites
Goodrecord includes regular blocks consistent with the policy
-
Askthe IT maintenance schedule: Request documentation of routine checks and updates to the filtering system
Goodincludes a clearly followed schedule with evidence of consistent reviews
-
Asktraining materials related to web filtering: Request copies of slides, manuals, or meeting minutes from training sessions
Goodincludes up-to-date materials with attendance records
Cross-framework mappings
How ISM-1237 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.23 | ISM-1237 requires web content filtering to be applied to outbound web traffic where appropriate | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.