Protection against malware
Implement measures and train users to prevent and detect malware threats.
Plain language
This control is all about stopping nasty software, like viruses or ransomware, from getting into your computer systems. If malware sneaks in, it could steal information, mess up your data, or even shut down important business operations, which could cost you time, money, and your hard-earned reputation.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Protection against malware shall be implemented and supported by appropriate user awareness.
Why it matters
Failure to prevent and detect malware (eg ransomware) can cause data theft, system outages and recovery costs, leading to regulatory and reputational harm.
Operational notes
Regularly update malware definitions and conduct frequent user training to stay ahead of evolving threats and social engineering tactics.
Implementation tips
- IT manager should ensure that malware detection software is installed and regularly updated on all computers and devices. They can do this by setting automatic updates and conducting routine checks to verify that the software is working properly.
- Human Resources and IT teams need to provide training to all employees on recognising and avoiding suspicious emails, links, and attachments. This can be done through regular workshops and online modules that explain how to spot phishy emails and what steps to take if they suspect a malware attack.
- Procurement should implement a policy that only allows authorised software to be used in the organisation. This involves maintaining a list of approved software and requiring all new software acquisitions to pass through a review process to ensure it's safe to use.
- The IT manager should set up rules that block access to known malicious websites and automatically scan downloaded files for malware. This can be achieved by configuring network firewalls and browser settings to block dangerous sites and using web filters.
- The Board should ensure a business continuity plan is in place for recovering from a malware attack. This includes regular backups of critical data and systems, and practicing recovery procedures to make sure they're effective and staff are familiar with them.
Audit / evidence tips
-
AskRequest the malware protection policy and procedure documents.
GoodThe documents clearly specify the types of malware protection used and outline training programs for staff.
-
AskAsk for logs or reports from malware scanning software.
GoodScan logs show consistent, automated scans with documented responses to any incidents.
-
AskRequest a list of authorised software.
GoodThere's a documented, up-to-date list with a clear approval process for new software additions.
-
AskInquire about the employee training schedule and materials on malware protection.
GoodTraining materials are regularly updated and cover identifying threats and preventative actions comprehensively.
-
AskRequest to see the business continuity plan that includes malware scenarios.
GoodThe plan includes detailed recovery procedures and has been tested in routine drills or simulations.
Cross-framework mappings
How Annex A 8.7 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-AH-ML2.3 | E8-AH-ML2.3 requires a specific technical restriction: Microsoft Office is blocked from creating executable content | |
| link Related (1) expand_less | ||
| E8-AH-ML1.3 | Annex A 8.7 requires organisations to implement measures that protect against malware and to support them with user awareness | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (8) expand_less | ||
| ISM-1234 | ISM-1234 requires organisations to implement email content filtering to detect and block potentially harmful content in email bodies and ... | |
| ISM-1288 | ISM-1288 requires that files imported or exported via gateways or CDSs undergo antivirus scanning using multiple different scanning engines | |
| ISM-1289 | ISM-1289 requires archive files imported or exported via gateways or CDSs to be unpacked so the extracted contents can be content-filtere... | |
| ISM-1341 | ISM-1341 requires a Host-based Intrusion Prevention System (HIPS) or Endpoint Detection and Response (EDR) solution to be implemented on ... | |
| ISM-1389 | ISM-1389 requires executable files imported via gateways or CDSs to be automatically executed in a sandbox to detect suspicious behaviour | |
| ISM-1486 | ISM-1486 requires that web browsers do not process Java from the internet as a measure to reduce web-borne code execution risk | |
| ISM-1608 | ISM-1608 requires third-party standard operating environments (SOEs) to be scanned for malicious code and checked for unsafe/non-complian... | |
| ISM-2026 | ISM-2026 requires all software artefacts to be scanned for malicious content before they are imported into the authoritative software source | |
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-0917 | Annex A 8.7 requires organisations to implement protection against malware and support it with user awareness to help prevent and detect ... | |
| ISM-1745 | ISM-1745 requires boot-time security controls including Early Launch Antimalware and secure/trusted/measured boot to reduce the chance of... | |
| handshake Supports (6) expand_less | ||
| ISM-0263 | ISM-0263 requires decrypting and inspecting TLS traffic at gateways so that malicious payloads and unsafe content can be detected in encr... | |
| ISM-1287 | ISM-1287 requires that files imported or exported via gateways or cross domain solutions (CDSs) undergo content sanitisation to remove ha... | |
| ISM-1290 | ISM-1290 requires controlled unpacking of archive files to prevent malicious or pathological archives from reducing filter performance or... | |
| ISM-1299 | ISM-1299 provides user precautions that reduce malware introduction on mobile devices, such as not using gifted/unauthorised peripherals,... | |
| ISM-1659 | ISM-1659 requires organisations to implement Microsoft’s Vulnerable Driver Blocklist to reduce the chance malware or attackers can use vu... | |
| ISM-1782 | ISM-1782 requires using protective DNS to block access to known malicious domains, helping prevent users and systems from reaching malwar... | |
| link Related (7) expand_less | ||
| ISM-0651 | Annex A 8.7 requires organisations to implement malware protection measures and reinforce them through user awareness | |
| ISM-0652 | Annex A 8.7 requires the implementation of controls to prevent and detect malware and to support those controls with user awareness | |
| ISM-0657 | Annex A 8.7 requires implementing controls to protect against malware and ensuring users are aware of malware risks and behaviours | |
| ISM-1417 | ISM-1417 mandates detailed antivirus implementation requirements (signature and heuristic detection set high, reputation ratings, ransomw... | |
| ISM-1672 | Annex A 8.7 requires organisations to implement protection against malware and reinforce it through user awareness | |
| ISM-1890 | Annex A 8.7 requires organisations to implement protection against malware and support it with appropriate user awareness | |
| ISM-1969 | Annex A 8.7 requires implementing and supporting measures to prevent and detect malware, including user awareness | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.