| Control type | Information Security Properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventative Detective Corrective | Confidentiality Integrity Availability | Protect | System & network security Information protection | Protection Defence |
The purpose is to ensure information and other associated assets are protected against malware.
Protection against malware should be implemented and supported by appropriate user awareness.
Ensure that the policy Protection Against Malware is in place
Implement security awareness around malware. ensure that personel understands what malware is and how to respond.
Ensure that Antivirus software is installed and that updates and definition files are automatically installed. Scans and reporting back should also be in place.
Access to potentially malicious or dangerous websites should be blocked or managed.
Additional tools that support the prevention of, and scanning for, malware in emails are to be considered and implemented where possible.
Business continuity and the ability to recover from an event are an important part of the ISO 27001 standard and as fall back for a failure in this control. The usual rules on having a plan and testing the plan are in play here.
Ensure to have access to bulletins, news letters and sources of information on emerging malware threats should be incorporated into processes and risk planning so that you can have a process of continual improvement that will seek to mitigate those threats.
Solid technical vulnerability management is part of the standard and links to this control by removing services that are not needed, blocking those not needed that cannot be removed and having solid configuration and technical management practices in place.
You will implement a topic specific policy that sets out what you do for the protection against malware.
For each asset type perform a risk assessment. Based on the risk assessment implement the appropriate controls to mitigate the risk.
Based on risk and business need implement the technical controls to protect from malware such as antivirus software, email security software, anti phishing technologies, firewalls, patch management. Ensure logging and monitoring is in place.
Implement training and communication. Ensure there is a program of awareness and education. Implement appropriate response plans that includes incident response, back up and recovery, disaster recovery.
For audit purposes you will keep records. Examples of the records to keep include changes, updates, monitoring, review and audits.
Perform internal audits that include the testing of the controls to ensure that they are working.
A common mistake is having weak or no anti malware solution in place. There may be occasions where this is not possible and that is ok. You mange it with compensating controls and via risk management, but where it is possible it should be installed, operating and up to date.
Another common mistake for this control is only relying on antivirus or anti malware technology. The control is specific about the support via education and user awareness. Be sure to incorporate education and awareness into your plans and consider the other guidance provided above.
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.