UnixTime

Research Note

ISO 27001 A.8.7 - Protection Against Malware

The organization should reduce the chance that malicious software infects systems, spreads through files or connected services, damages information, or gives attackers unauthori...

On this page

Requirement

Requirement lens

This control asks whether malware protection is implemented and supported by user awareness.

“Protection against malware shall be implemented and supported by appropriate user awareness.”

Plain-language meaning

The organization should reduce the chance that malicious software infects systems, spreads through files or connected services, damages information, or gives attackers unauthorized access.

This is not just “install antivirus.” A.8.7 expects a combination of technical controls, regular updates, scanning, monitoring, response procedures, infection records, and user awareness about risky links, downloads, email attachments, websites, and fake security prompts.

Why this matters

Malware can compromise confidentiality, integrity, and availability. It can encrypt files, steal credentials, alter data, exfiltrate information, disable security tools, move laterally, or spread to systems and services the infected user can access.

Malware prevention is never perfect because new or changed malware may not be detected immediately. That is exactly why the control needs layered protection, current updates, user awareness, and a clear infection response process.

Implementation guidance

Implementer focus

Combine background technical controls with user behavior controls. Users should know what not to click, and systems should still protect them when they make mistakes.

1. Define malware protection rules

The malware protection policy or standard should cover:

  • systems and device types in scope;
  • approved malware protection tools;
  • update frequency and fallback manual update process;
  • real-time/background scanning requirements;
  • scheduled scan requirements where continuous scanning is not possible;
  • handling of incoming software, email, files, websites, and removable media;
  • alerting, quarantine, cleaning, rebuild, and recovery steps;
  • infection recording and escalation;
  • user awareness requirements.

2. Keep protection current

Malware protection should be updated continuously where possible. If dynamic updates are not technically possible, the organization should define a manual update process and evidence that it is followed.

3. Use layered protection where justified

For sensitive systems or systems supporting many users, a second scanning layer or different malware detection tool can improve detection. Examples include email gateway scanning plus endpoint EDR, file upload scanning, or separate malware scanning for shared file services.

4. Include mobile and non-standard devices

Mobile devices, servers, cloud workloads, and specialized systems may not all support the same malware controls. The organization should decide what protection is appropriate and document compensating controls where standard tools are not feasible.

5. Train users on malware behavior

Awareness should include practical examples:

  • suspicious links and attachments;
  • fake antivirus or fake update prompts;
  • unexpected password prompts;
  • risky downloads and unofficial software;
  • unsafe websites;
  • how to report suspected malware.

6. Define infection response

The organization should define what happens when malware is suspected or confirmed. Automatic cleaning is not always enough. For serious infections, wiping and rebuilding the device may be safer than trusting a cleaning attempt.

Audit guidance

Auditor focus

Confirm malware protection is deployed, current, monitored, and understood by users. Then test whether infection response is recorded and effective.

Auditors should verify:

  • malware protection policy or standard;
  • malware protection coverage by system/device type;
  • update configuration and update status;
  • real-time/background scanning settings;
  • scheduled scanning where needed;
  • email/web/download/removable media controls;
  • malware alert records and response records;
  • evidence that cleaning, quarantine, rebuild, or recovery actions were verified;
  • mobile device malware protection or compensating controls;
  • user awareness training and interview results.

For sensitive systems, auditors should ask whether more than one detection layer is used or whether the risk assessment explains why it is not needed.

Evidence examples

Evidence quality

Strong evidence proves malware controls are deployed, updated, monitored, tested through incidents, and reinforced through awareness.

Evidence What it proves
Malware protection standard Rules and responsibilities are defined
EDR/anti-malware deployment report Coverage is known
Signature/engine/update report Protection is current
Alert/quarantine logs Detection is operating
Infection response records Malware events are handled and recorded
Rebuild/cleaning verification records Recovery was verified
Email/web/file scanning configuration Multiple infection paths are controlled
Awareness training records Users were trained on malware risks

Strong evidence

  • Malware protection covers endpoints, servers, and relevant mobile/cloud systems.
  • Update status is monitored and exceptions are investigated.
  • Real-time scanning is enabled where feasible.
  • High-risk shared systems have additional scanning or justified compensating controls.
  • Malware incidents are logged, investigated, cleaned/rebuilt, and verified.
  • Users can explain how to report suspicious links, attachments, downloads, or fake prompts.

Weak evidence

  • Antivirus is installed but update status is unknown.
  • Malware protection coverage is assumed but not inventoried.
  • Mobile devices or servers are excluded without risk assessment.
  • Users receive generic security training but no malware examples.
  • Infections are cleaned automatically with no verification.
  • Free or unapproved tools are used without assessing suitability.

Common failures

Implementation watchouts

A.8.7 fails when anti-malware is treated as a product installation instead of an operating control.

Failure Why it matters
No coverage inventory Unprotected systems remain invisible
Outdated definitions or engines Known malware is not detected
No user awareness Users keep enabling infection paths
No infection records Lessons, recurrence, and impact are missed
Automatic cleaning trusted blindly Persistent malware may remain
Mobile or cloud workloads ignored Infection paths shift to unmanaged platforms
Unapproved free tools Protection may be weak or malicious itself

Exam traps

Exam focus

A.8.7 explicitly combines malware protection with user awareness. Technical controls alone are not the full answer.

Trap Correct interpretation
Antivirus installation proves compliance Coverage, updates, monitoring, response, and awareness evidence are also needed
Malware is only a Windows endpoint issue Most operating systems and many device types can face malware risk
Automatic cleaning is always enough Serious infections may require wipe/rebuild and verification
Users are irrelevant if tools run in the background Awareness reduces risky clicking, downloads, fake prompts, and unsafe behavior
Free security tools are acceptable by default Tools should be approved and suitable for the risk

KB-ready summary

Mentor takeaway

A.8.7 is not “buy antivirus.” It is an operating control that combines current malware protection, layered detection where justified, infection response, verification after cleaning or rebuild, and user awareness.

  • Define malware protection requirements by system type and risk.
  • Monitor deployment and update status.
  • Use background scanning and scheduled scans where appropriate.
  • Train users on realistic malware behaviors.
  • Record malware infections and verify recovery.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Technological controls
  • Malware protection
  • Endpoint security
  • Awareness
  • Audit

Note Metadata

Aliases: A.8.7, Protection Against Malware, Malware Protection

Source: 05 Annex A Technological Controls/A.8.7 Protection Against Malware.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

12

links

01
02
03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.