Requirement
Requirement lens
This control asks whether malware protection is implemented and supported by user awareness.
“Protection against malware shall be implemented and supported by appropriate user awareness.”
Plain-language meaning
The organization should reduce the chance that malicious software infects systems, spreads through files or connected services, damages information, or gives attackers unauthorized access.
This is not just “install antivirus.” A.8.7 expects a combination of technical controls, regular updates, scanning, monitoring, response procedures, infection records, and user awareness about risky links, downloads, email attachments, websites, and fake security prompts.
Why this matters
Malware can compromise confidentiality, integrity, and availability. It can encrypt files, steal credentials, alter data, exfiltrate information, disable security tools, move laterally, or spread to systems and services the infected user can access.
Malware prevention is never perfect because new or changed malware may not be detected immediately. That is exactly why the control needs layered protection, current updates, user awareness, and a clear infection response process.
Implementation guidance
Implementer focus
Combine background technical controls with user behavior controls. Users should know what not to click, and systems should still protect them when they make mistakes.
1. Define malware protection rules
The malware protection policy or standard should cover:
- systems and device types in scope;
- approved malware protection tools;
- update frequency and fallback manual update process;
- real-time/background scanning requirements;
- scheduled scan requirements where continuous scanning is not possible;
- handling of incoming software, email, files, websites, and removable media;
- alerting, quarantine, cleaning, rebuild, and recovery steps;
- infection recording and escalation;
- user awareness requirements.
2. Keep protection current
Malware protection should be updated continuously where possible. If dynamic updates are not technically possible, the organization should define a manual update process and evidence that it is followed.
3. Use layered protection where justified
For sensitive systems or systems supporting many users, a second scanning layer or different malware detection tool can improve detection. Examples include email gateway scanning plus endpoint EDR, file upload scanning, or separate malware scanning for shared file services.
4. Include mobile and non-standard devices
Mobile devices, servers, cloud workloads, and specialized systems may not all support the same malware controls. The organization should decide what protection is appropriate and document compensating controls where standard tools are not feasible.
5. Train users on malware behavior
Awareness should include practical examples:
- suspicious links and attachments;
- fake antivirus or fake update prompts;
- unexpected password prompts;
- risky downloads and unofficial software;
- unsafe websites;
- how to report suspected malware.
6. Define infection response
The organization should define what happens when malware is suspected or confirmed. Automatic cleaning is not always enough. For serious infections, wiping and rebuilding the device may be safer than trusting a cleaning attempt.
Audit guidance
Auditor focus
Confirm malware protection is deployed, current, monitored, and understood by users. Then test whether infection response is recorded and effective.
Auditors should verify:
- malware protection policy or standard;
- malware protection coverage by system/device type;
- update configuration and update status;
- real-time/background scanning settings;
- scheduled scanning where needed;
- email/web/download/removable media controls;
- malware alert records and response records;
- evidence that cleaning, quarantine, rebuild, or recovery actions were verified;
- mobile device malware protection or compensating controls;
- user awareness training and interview results.
For sensitive systems, auditors should ask whether more than one detection layer is used or whether the risk assessment explains why it is not needed.
Evidence examples
Evidence quality
Strong evidence proves malware controls are deployed, updated, monitored, tested through incidents, and reinforced through awareness.
| Evidence | What it proves |
|---|---|
| Malware protection standard | Rules and responsibilities are defined |
| EDR/anti-malware deployment report | Coverage is known |
| Signature/engine/update report | Protection is current |
| Alert/quarantine logs | Detection is operating |
| Infection response records | Malware events are handled and recorded |
| Rebuild/cleaning verification records | Recovery was verified |
| Email/web/file scanning configuration | Multiple infection paths are controlled |
| Awareness training records | Users were trained on malware risks |
Strong evidence
- Malware protection covers endpoints, servers, and relevant mobile/cloud systems.
- Update status is monitored and exceptions are investigated.
- Real-time scanning is enabled where feasible.
- High-risk shared systems have additional scanning or justified compensating controls.
- Malware incidents are logged, investigated, cleaned/rebuilt, and verified.
- Users can explain how to report suspicious links, attachments, downloads, or fake prompts.
Weak evidence
- Antivirus is installed but update status is unknown.
- Malware protection coverage is assumed but not inventoried.
- Mobile devices or servers are excluded without risk assessment.
- Users receive generic security training but no malware examples.
- Infections are cleaned automatically with no verification.
- Free or unapproved tools are used without assessing suitability.
Common failures
Implementation watchouts
A.8.7 fails when anti-malware is treated as a product installation instead of an operating control.
| Failure | Why it matters |
|---|---|
| No coverage inventory | Unprotected systems remain invisible |
| Outdated definitions or engines | Known malware is not detected |
| No user awareness | Users keep enabling infection paths |
| No infection records | Lessons, recurrence, and impact are missed |
| Automatic cleaning trusted blindly | Persistent malware may remain |
| Mobile or cloud workloads ignored | Infection paths shift to unmanaged platforms |
| Unapproved free tools | Protection may be weak or malicious itself |
Exam traps
Exam focus
A.8.7 explicitly combines malware protection with user awareness. Technical controls alone are not the full answer.
| Trap | Correct interpretation |
|---|---|
| Antivirus installation proves compliance | Coverage, updates, monitoring, response, and awareness evidence are also needed |
| Malware is only a Windows endpoint issue | Most operating systems and many device types can face malware risk |
| Automatic cleaning is always enough | Serious infections may require wipe/rebuild and verification |
| Users are irrelevant if tools run in the background | Awareness reduces risky clicking, downloads, fake prompts, and unsafe behavior |
| Free security tools are acceptable by default | Tools should be approved and suitable for the risk |
Related controls and concepts
- A.8 Technological Controls MOC
- A.8.1 User End Point Devices
- A.8.5 Secure Authentication
- A.6.3 Information Security Awareness Education and Training
- A.6.8 Information Security Event Reporting
- A.5.24 Information Security Incident Management Planning and Preparation
- A.5.25 Assessment and Decision on Information Security Events
- A.5.26 Response to Information Security Incidents
- A.5.27 Learning from Information Security Incidents
- Risk Assessment
- Statement of Applicability
- Malware Protection Standard
- Malware Protection Coverage and Update Register
- Malware Infection Response Record
- Malware Awareness Checklist
- A.8.7 Audit Evidence Pack
- A.8.7 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.7 is not “buy antivirus.” It is an operating control that combines current malware protection, layered detection where justified, infection response, verification after cleaning or rebuild, and user awareness.
- Define malware protection requirements by system type and risk.
- Monitor deployment and update status.
- Use background scanning and scheduled scans where appropriate.
- Train users on realistic malware behaviors.
- Record malware infections and verify recovery.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Malware protection
- Endpoint security
- Awareness
- Audit
Note Metadata
Aliases: A.8.7, Protection Against Malware, Malware Protection
Source: 05 Annex A Technological Controls/A.8.7 Protection Against Malware.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
12
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
- A.8 Technological Controls MOC
- ISO 27001 A.5.24 - Information Security Incident Management Planning and Preparation
- ISO 27001 A.5.25 - Assessment and Decision on Information Security Events
- ISO 27001 A.5.26 - Response to Information Security Incidents
- ISO 27001 A.5.27 - Learning from Information Security Incidents
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.24 - Information Security Incident Management Planning and Preparation
- ISO 27001 A.5.25 - Assessment and Decision on Information Security Events
- ISO 27001 A.5.26 - Response to Information Security Incidents
- ISO 27001 A.5.27 - Learning from Information Security Incidents
- ISO 27001 A.6.3 - Information Security Awareness, Education and Training
- ISO 27001 A.6.8 - Information Security Event Reporting
- A.8.7 Audit Evidence Pack
- ISO 27001 A.8.1 - User End Point Devices
- ISO 27001 A.8.13 - Information Backup
- ISO 27001 A.8.16 - Monitoring Activities
- ISO 27001 A.8.23 - Web Filtering
- ISO 27001 A.8.5 - Secure Authentication
- ISO 27001 A.8.8 - Management of Technical Vulnerabilities
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.7 Protection Against Malware
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-029 - Malware Protection
- ISO 27002 Annex A Control Interpretation Map
- A.8.7 Audit Checklist
- Malware Awareness Checklist
- Malware Infection Response Record
- Malware Protection Coverage and Update Register
- Malware Protection Standard
- Web Filtering Policy and Category Matrix
- Annex A Controls MOC