Web Filtering to Reduce Malicious Website Exposure
Limit access to risky websites to avoid malware and phishing threats.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Preventative
🧱 ISO 27001 domain
Technological controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
19 Mar 2026
🎯 Maturity levels
N/A
Access to external websites shall be managed to reduce exposure to malicious content.
Source: ISO/IEC 27001:2022
Plain language
This control is about making sure your team members aren't accidentally stumbling onto harmful websites that could infect your systems with viruses or steal your information. Think of it like having a bouncer at a club, but for your internet browsing: keeping the bad stuff out and only letting in the good.
Why it matters
Unfiltered access to websites can lead to malware infections and phishing attacks, compromising sensitive data and disrupting operations.
Operational notes
Regularly update web filtering categories, validate block/allow lists, and review proxy/DNS logs to tune rules for new malicious sites.
Implementation tips
- The IT manager should identify risky website categories, like those known for phishing or distributing malware. They can do this by referencing lists from cybersecurity agencies such as the ASD. Once identified, these websites should be blocked using web filtering tools available in many security software packages.
- The HR department should ensure that all employees receive training on recognising unsafe websites and understanding why certain sites are blocked. This can be done through regular workshops or training sessions, where employees learn about internet safety and the organisation's policies.
- The board should approve a clear policy on web usage that outlines which types of websites are banned and why. This policy should be informed by both ISO 27002:2022 guidance and the requirements under Australian regulations like the Privacy Act 1988.
- IT staff should regularly update the web filtering system to adapt to new threats and business needs. This involves staying informed with threat intelligence reports (such as those provided by ASD) and adjusting block lists accordingly.
- The security team should conduct regular audits of the web filtering system to ensure it is functioning as intended. This involves testing whether known malicious sites are effectively blocked and confirming that legitimate business needs are not hindered.
Audit / evidence tips
-
Ask: the latest web usage policy document
-
Ask: a demonstration of the web filtering system in action
-
Ask: training records or materials regarding web safety training
-
Ask: updates or change logs of web filter configurations
-
Ask: reports or alerts generated from the web filtering system
Cross-framework mappings
How Annex A 8.23 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
E8
| Control | Notes | Details |
|---|---|---|
| Related (1) | ||
| E8-AH-ML1.2 | E8-AH-ML1.2 requires that web browsers do not process Java content from the internet to reduce exposure to exploitation via browser-borne... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| ISM-1236 | ISM-1236 requires web content filters to block malicious domains, dynamic domains, and domains that can be registered anonymously for free | |
| ISM-1485 | ISM-1485 requires blocking browsers from processing web advertisements from the internet to reduce exposure to malicious content delivere... | |
| Partially overlaps (4) | ||
| ISM-0659 | ISM-0659 requires that files imported or exported via gateways or cross domain solutions (CDSs) undergo content filtering checks to detec... | |
| ISM-0958 | ISM-0958 requires an organisation-approved allow/block list of domain names or website categories for all HTTP/HTTPS traffic through gate... | |
| ISM-1237 | ISM-1237 requires web content filtering to be applied to outbound web traffic where appropriate | |
| ISM-2068 | ISM-2068 requires organisations to strictly limit internet connectivity to only those networked devices that require access | |
| Supports (3) | ||
| ISM-0258 | Annex A 8.23 requires organisations to manage access to external websites to reduce exposure to malicious content | |
| ISM-0260 | Annex A 8.23 requires organisations to manage access to external websites to reduce exposure to malicious content | |
| ISM-0874 | ISM-0874 requires all user devices to route internet access through the organisation’s gateway instead of direct connections | |
| Related (5) | ||
| ISM-0267 | Annex A 8.23 requires managing access to external websites to reduce exposure to malicious content | |
| ISM-0961 | Annex A 8.23 requires external website access to be managed to reduce exposure to malicious content | |
| ISM-0963 | Annex A 8.23 requires organisations to manage access to external websites to reduce exposure to malicious content | |
| ISM-1171 | Annex A 8.23 requires organisations to manage access to external websites to reduce exposure to malicious content | |
| ISM-1782 | Annex A 8.23 requires external website access to be managed to reduce exposure to malicious content | |