Series: New Controls in ISO/IEC 27001:2022 Annex A

Web Filtering

In this article series, we are analyzing the implementation aspects of the 11 new controls of ISO/IEC 27001:2022 Annex A. The penultimate article of the series explores the new technological control 8.23 (Web filtering). 

Control 

Control 8.23 (Web filtering) defines the best practices for managing access to external websites. 

Attributes 

Implementation of this control would help an organization prevent access to unauthorized websites and hence, reduce exposure to malware. This would help in protecting the confidentiality, integrity and availability of information systems and networks. 

Implementation 

The organization should identify the types of websites (e.g. malicious websites, websites sharing illegal content etc.) that should not be accessed. Its personnel should be restricted from accessing such websites. This can be achieved by a combination of security policies and technological controls (e.g. blocking the IP addresses of the websites, configuring web browsers, using anti-malware etc.). Personnel should be trained at regular intervals to make them aware about the secure and acceptable use of web resources. 

It may so happen that personnel need to access restricted websites for legitimate business purposes. The organization should define processes for such exceptional scenarios and must ensure that these processes are followed. 

Artefacts 

The contents and implementation of the following security policies and procedures may be impacted by the above control: 

• Acceptable Use Policy – This defines the acceptable and unacceptable usage of web resources. 

• Configuration Management Procedure – Rules for the secure configuration of web browsers and web filters may be defined within this procedure. 

• Security Operating Procedures – Rules for the implementation and usage of web filtering may be defined within security operating procedures. 

• Technical Vulnerability Management Procedure – Rules for the management of technical vulnerabilities are defined in this procedure. This should state the measures to be adopted in case personnel need to access restricted websites for legitimate business purposes. 

  

  
  

How Sujosu Technology Can Help 

Sujosu Technology helps organizations design and implement systems that prioritize cyber security, data privacy and compliance. Our services include: 

• Risk Assessments: Identifying cyber security and privacy requirements and vulnerabilities in applications and infrastructure. 

• Countermeasures and Solutions: Providing tailored strategies to prevent, detect and recover from potential attacks. 

• Compliance Documentation: Helping you comply with the requirements of specific standards and regulations by compiling policies, procedures and other relevant manuals. 

• Training and Awareness: Equipping your team with the knowledge to address cyber security and privacy challenges effectively. 

  
  

With Sujosu Technology’s expertise, your organization can build systems that are secure and resilient against security and privacy breaches. We can also help you achieve compliance with relevant standards and legislations. Besides, we organize webinars and publish insightful articles to create awareness on various aspects of cyber security and data privacy. 

Partner with Sujosu Technology 

Protect your data and ensure compliance with Sujosu Technology’s state-of-the-art cyber security and privacy services. Stay ahead of challenges and foster trust with your stakeholders.