What the auditor wants to verify
Audit objective
Verify that malware protection is deployed, current, monitored, supported by user awareness, and backed by a recorded response process.
Evidence to request
| Evidence | Purpose |
|---|---|
| Malware protection policy/standard | Shows rules are defined |
| EDR/anti-malware coverage report | Shows protected and unprotected systems |
| Update/signature/engine status report | Shows protection is current |
| Real-time and scheduled scan settings | Shows scanning is configured |
| Email/web/file/removable media controls | Shows common infection paths are controlled |
| Malware alerts and quarantine logs | Shows detection is operating |
| Malware infection response records | Shows incidents are recorded and handled |
| Rebuild/cleaning verification records | Shows recovery was validated |
| Awareness training records | Shows users were trained |
Strong evidence
- Malware protection coverage is inventoried.
- Updates are monitored and exceptions are investigated.
- Real-time scanning is enabled where feasible.
- Sensitive/shared systems have layered scanning or documented risk rationale.
- Infections are recorded and closed with verification.
- Users can explain suspicious links, fake prompts, risky downloads, and reporting steps.
Weak evidence
- Tool is installed but update status is unknown.
- Servers, mobile devices, or cloud workloads are excluded without risk assessment.
- Alerts exist but no one reviews them.
- Automatic cleaning is accepted without verification.
- Training records do not cover malware behavior.
- Users install unapproved “security” tools.
Sample interview questions
- What malware protection tool is approved?
- How do you know it is installed and current?
- What should users do if they see a suspicious link, attachment, or fake update prompt?
- What happens after malware is detected?
- How do you verify that a cleaned system is safe?
- Are mobile devices or servers handled differently?
Common nonconformities
- Malware protection not deployed to all in-scope systems.
- Update failures not monitored.
- No infection response records.
- No awareness evidence.
- No verification after cleaning.
- Unapproved/free tools used without suitability review.
Related notes
- Audit
- Evidence
- A8 7
- Iso27001
Note Metadata
Aliases: A.8.7 Evidence
Source: 04 Audit Evidence Packs/A.8.7 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Audit Evidence MOC
- ISO 27001 A.8.7 - Protection Against Malware
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.7 Protection Against Malware
- A.8.7 Audit Checklist
- Malware Awareness Checklist
- Malware Infection Response Record
- Malware Protection Coverage and Update Register
- Malware Protection Standard
- Audit Evidence Index