Requirement
Requirement lens
This control asks whether access to external websites is managed to reduce exposure to malicious content.
“Access to external websites shall be managed to reduce exposure to malicious content.”
Plain-language meaning
Users can be compromised by visiting malicious websites, downloading fake tools, following phishing links, or connecting to command-and-control infrastructure. Web filtering reduces this exposure by blocking or warning on risky website categories, known malicious domains, and policy-violating destinations.
Web filtering does not replace user awareness. It adds a technical layer because people still make mistakes.
Why this matters
Malicious websites are common delivery paths for malware, credential theft, fake antivirus scams, browser exploits, drive-by downloads, and command-and-control traffic. Web filtering can prevent access, alert on suspicious attempts, and feed monitoring or incident response.
The hard part is balance. Overblocking damages business activity. Underblocking leaves users exposed.
Implementation guidance
Implementer focus
Define the policy first, then configure the tool. Do not let the default category list become the policy.
1. Define web filtering policy
Decide which website categories are blocked, warned, allowed, or monitored. Base the decision on risk assessment, legal requirements, acceptable use, business need, and user group sensitivity.
2. Apply filtering to in-scope systems
Filtering may be endpoint-based, network-based, DNS-based, proxy-based, cloud secure web gateway-based, or a combination. The organization should understand which users, devices, locations, and remote-working scenarios are covered.
3. Manage uncategorized and false-positive sites
Define what happens when a site has no category, is incorrectly blocked, or needs business exception. Exceptions should be authorized, time-bound where appropriate, and reviewed.
4. Prevent bypass
Users should not be able to disable or bypass filtering casually. Bypass attempts should be logged or alerted where practical.
5. Connect high-risk events to monitoring
Attempts to access known malicious sites, command-and-control destinations, phishing infrastructure, or malware delivery sites may indicate compromise and should feed A.8.16 Monitoring Activities and incident handling.
Audit guidance
Auditor focus
Check policy, coverage, tool configuration, exceptions, bypass resistance, monitoring alerts, and user understanding.
Auditors should verify:
- web filtering policy is defined and risk-based;
- filtering is applied consistently to in-scope systems;
- remote users and mobile devices are covered where required;
- blocked categories match policy;
- exceptions and false positives are authorized and reviewed;
- users cannot manually bypass or disable filtering without approval;
- attempts to reach known malicious or command-and-control destinations generate alerts where practical;
- filtering effectiveness is reviewed;
- staff understand what filtering exists and why.
Evidence examples
Evidence quality
Strong evidence proves web filtering policy, technical enforcement, exception control, monitoring, and review.
| Evidence | What it proves |
|---|---|
| Web filtering policy | Rules are defined |
| Category/rule configuration | Tool enforces policy |
| Coverage report | In-scope users/devices are protected |
| Exception register | Exceptions are authorized |
| Alert logs | High-risk access attempts are detected |
| Review records | Filtering remains effective and usable |
| User awareness records | Staff know expected behaviour |
Strong evidence
- Filtering categories are mapped to policy and risk.
- Coverage includes endpoints, remote users, and relevant network paths.
- Exceptions have owner, reason, approval, and review date.
- Bypass attempts are blocked or alerted.
- Malicious destination attempts feed monitoring or incident handling.
- Reviews consider both security effectiveness and business impact.
Weak evidence
- Filtering tool exists but scope is unclear.
- Categories are vendor defaults with no policy mapping.
- Exceptions are permanent and ownerless.
- Remote users bypass filtering.
- Users can disable the agent.
- Alerts are collected but not reviewed.
- Legitimate business sites are blocked with no exception process.
Common failures
Implementation watchouts
A.8.23 fails when filtering is either unmanaged blocking or unmanaged bypass.
| Failure | Why it matters |
|---|---|
| No policy-to-category mapping | Tool configuration becomes arbitrary |
| Unclear coverage | Remote users or mobile devices may be exposed |
| Weak exception process | Blocks are bypassed informally |
| Users can disable filtering | Control is not enforceable |
| Alerts not monitored | Compromise indicators are missed |
| No effectiveness review | Filtering becomes stale or obstructive |
Exam traps
Exam focus
A.8.23 reduces exposure to malicious external websites. It is not just acceptable-use blocking.
| Trap | Correct interpretation |
|---|---|
| Web filtering is only HR/productivity control | The ISO control focuses on reducing malicious content exposure |
| User awareness is enough | Awareness is important but technical filtering adds protection |
| Vendor categories define the policy | The organization should choose categories based on risk and business need |
| Exceptions are harmless | Exceptions need authorization and review |
| Blocked C2 attempts are just browsing violations | They may indicate malware infection and should feed monitoring/incident handling |
Related controls and concepts
- A.8 Technological Controls MOC
- A.8.7 Protection Against Malware
- A.8.12 Data Leakage Prevention
- A.8.16 Monitoring Activities
- A.8.20 Networks Security
- A.5.10 Acceptable Use of Information and Other Associated Assets
- A.6.3 Information Security Awareness Education and Training
- A.5.25 Assessment and Decision on Information Security Events
- A.5.26 Response to Information Security Incidents
- Risk Assessment
- Statement of Applicability
- Web Filtering Policy and Category Matrix
- Web Filtering Exception Register
- Web Filtering Coverage Review
- A.8.23 Audit Evidence Pack
- A.8.23 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.23 reduces malicious web exposure. Strong implementation proves filtering policy, coverage, exception control, bypass resistance, alerting, and periodic review.
- Define blocked, warned, allowed, and monitored categories.
- Apply filtering consistently to in-scope users and devices.
- Manage exceptions and false positives.
- Prevent casual bypass.
- Feed malicious destination attempts into monitoring and incident handling.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Web filtering
- Malware protection
- Audit
Note Metadata
Aliases: A.8.23, Web Filtering
Source: 05 Annex A Technological Controls/A.8.23 Web Filtering.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Control
ISO 27001 A.8.23 - Web FilteringRequirement context
Primary control text, framework notes, or adjacent controls this note points to.
- A.8 Technological Controls MOC
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.25 - Assessment and Decision on Information Security Events
- ISO 27001 A.5.26 - Response to Information Security Incidents
- ISO 27001 A.6.3 - Information Security Awareness, Education and Training
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.25 - Assessment and Decision on Information Security Events
- ISO 27001 A.5.26 - Response to Information Security Incidents
- ISO 27001 A.6.3 - Information Security Awareness, Education and Training
- A.8.23 Audit Evidence Pack
- ISO 27001 A.8.12 - Data Leakage Prevention
- ISO 27001 A.8.16 - Monitoring Activities
- ISO 27001 A.8.20 - Networks Security
- ISO 27001 A.8.7 - Protection Against Malware
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.23 Web Filtering
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-036 - Network Services, Segregation, and Web Filtering
- ISO 27002 Annex A Control Interpretation Map
- A.8.23 Audit Checklist
- Web Filtering Coverage Review
- Web Filtering Exception Register
- Web Filtering Policy and Category Matrix
- Annex A Controls MOC