UnixTime

Research Note

ISO 27001 A.8.23 - Web Filtering

Users can be compromised by visiting malicious websites, downloading fake tools, following phishing links, or connecting to command-and-control infrastructure. Web filtering red...

On this page

Requirement

Requirement lens

This control asks whether access to external websites is managed to reduce exposure to malicious content.

“Access to external websites shall be managed to reduce exposure to malicious content.”

Plain-language meaning

Users can be compromised by visiting malicious websites, downloading fake tools, following phishing links, or connecting to command-and-control infrastructure. Web filtering reduces this exposure by blocking or warning on risky website categories, known malicious domains, and policy-violating destinations.

Web filtering does not replace user awareness. It adds a technical layer because people still make mistakes.

Why this matters

Malicious websites are common delivery paths for malware, credential theft, fake antivirus scams, browser exploits, drive-by downloads, and command-and-control traffic. Web filtering can prevent access, alert on suspicious attempts, and feed monitoring or incident response.

The hard part is balance. Overblocking damages business activity. Underblocking leaves users exposed.

Implementation guidance

Implementer focus

Define the policy first, then configure the tool. Do not let the default category list become the policy.

1. Define web filtering policy

Decide which website categories are blocked, warned, allowed, or monitored. Base the decision on risk assessment, legal requirements, acceptable use, business need, and user group sensitivity.

2. Apply filtering to in-scope systems

Filtering may be endpoint-based, network-based, DNS-based, proxy-based, cloud secure web gateway-based, or a combination. The organization should understand which users, devices, locations, and remote-working scenarios are covered.

3. Manage uncategorized and false-positive sites

Define what happens when a site has no category, is incorrectly blocked, or needs business exception. Exceptions should be authorized, time-bound where appropriate, and reviewed.

4. Prevent bypass

Users should not be able to disable or bypass filtering casually. Bypass attempts should be logged or alerted where practical.

5. Connect high-risk events to monitoring

Attempts to access known malicious sites, command-and-control destinations, phishing infrastructure, or malware delivery sites may indicate compromise and should feed A.8.16 Monitoring Activities and incident handling.

Audit guidance

Auditor focus

Check policy, coverage, tool configuration, exceptions, bypass resistance, monitoring alerts, and user understanding.

Auditors should verify:

  • web filtering policy is defined and risk-based;
  • filtering is applied consistently to in-scope systems;
  • remote users and mobile devices are covered where required;
  • blocked categories match policy;
  • exceptions and false positives are authorized and reviewed;
  • users cannot manually bypass or disable filtering without approval;
  • attempts to reach known malicious or command-and-control destinations generate alerts where practical;
  • filtering effectiveness is reviewed;
  • staff understand what filtering exists and why.

Evidence examples

Evidence quality

Strong evidence proves web filtering policy, technical enforcement, exception control, monitoring, and review.

Evidence What it proves
Web filtering policy Rules are defined
Category/rule configuration Tool enforces policy
Coverage report In-scope users/devices are protected
Exception register Exceptions are authorized
Alert logs High-risk access attempts are detected
Review records Filtering remains effective and usable
User awareness records Staff know expected behaviour

Strong evidence

  • Filtering categories are mapped to policy and risk.
  • Coverage includes endpoints, remote users, and relevant network paths.
  • Exceptions have owner, reason, approval, and review date.
  • Bypass attempts are blocked or alerted.
  • Malicious destination attempts feed monitoring or incident handling.
  • Reviews consider both security effectiveness and business impact.

Weak evidence

  • Filtering tool exists but scope is unclear.
  • Categories are vendor defaults with no policy mapping.
  • Exceptions are permanent and ownerless.
  • Remote users bypass filtering.
  • Users can disable the agent.
  • Alerts are collected but not reviewed.
  • Legitimate business sites are blocked with no exception process.

Common failures

Implementation watchouts

A.8.23 fails when filtering is either unmanaged blocking or unmanaged bypass.

Failure Why it matters
No policy-to-category mapping Tool configuration becomes arbitrary
Unclear coverage Remote users or mobile devices may be exposed
Weak exception process Blocks are bypassed informally
Users can disable filtering Control is not enforceable
Alerts not monitored Compromise indicators are missed
No effectiveness review Filtering becomes stale or obstructive

Exam traps

Exam focus

A.8.23 reduces exposure to malicious external websites. It is not just acceptable-use blocking.

Trap Correct interpretation
Web filtering is only HR/productivity control The ISO control focuses on reducing malicious content exposure
User awareness is enough Awareness is important but technical filtering adds protection
Vendor categories define the policy The organization should choose categories based on risk and business need
Exceptions are harmless Exceptions need authorization and review
Blocked C2 attempts are just browsing violations They may indicate malware infection and should feed monitoring/incident handling

KB-ready summary

Mentor takeaway

A.8.23 reduces malicious web exposure. Strong implementation proves filtering policy, coverage, exception control, bypass resistance, alerting, and periodic review.

  • Define blocked, warned, allowed, and monitored categories.
  • Apply filtering consistently to in-scope users and devices.
  • Manage exceptions and false positives.
  • Prevent casual bypass.
  • Feed malicious destination attempts into monitoring and incident handling.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Technological controls
  • Web filtering
  • Malware protection
  • Audit

Note Metadata

Aliases: A.8.23, Web Filtering

Source: 05 Annex A Technological Controls/A.8.23 Web Filtering.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

11

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.