ISO 27001:2022 – 8.23 Web Filtering

David Morrison
October 12, 2023

In the recent release of ISO/IEC 27001:2022, a new control was added to Annex A, 8.23 Web filtering. It’s a control that was well overdue and one that has been around for decades. To be honest, it’s probably unlikely that you don’t have some form of web filtering controls in place as part of existing technologies you have already implemented. 8.23 Web filtering formalises this control, ensures you have a structured strategy for what and how you filter web content, and ensure your personnel are aware of safe browsing practices.

What is web filtering and why do we need it?

Before we get into the details of the new control, what exactly is web filtering and why has it been added to ISO 27001 2022?

In a nutshell, web filtering is a technology that controls what content a user is capable of accessing on the Internet. This can be performed through a variety of mechanisms, such as URL filtering, category-based filtering, or keyword filtering. Web filters can be implemented in a variety of ways, including software on individual computers, as part of network gateway controls such as firewalls or proxy servers, or via cloud-based solutions. Simply put, the filters work by comparing the requested website or content against a database or set of rules to determine whether it should be allowed or blocked.

There are a number of reasons why an organisation would have this control in place, including, but not limited to:

  • Protection Against Malware: To protect against the downloading or installation of malware from malicious websites. Malware can be delivered through direct downloads, ads, or even seemingly innocent websites.
  • Intellectual Property Protection: By blocking file sharing and torrent sites, web filtering can reduce the risk of unauthorised distribution of copyrighted material which could otherwise expose your business to legal ramifications.
  • Prevention of Phishing Attacks: Phishing sites often impersonate legitimate websites to steal user credentials. Web filters can block known phishing sites, thereby protecting user data and corporate resources.

As you can imagine, while web filtering helps address these use cases, web filtering isn’t a silver bullet. It’s one layer of a many layered approach to reduce risk.

Business risk posed by the implementation of web filtering

I would be remiss if I didn’t discuss the negative impact web filtering can have on a business if not planned and tested properly. It is not a click a box in your technology configuration screen and walk away type control. If you do, depending on your business model and user requirements when accessing data on the Internet, be prepared for some kickback and angry users on the warpath.

Let me use two examples I have seen go wrong in environments I’ve personally worked in.

Geographical Filters

A typical control now found within most security product is filtering by geography, commonly known as geofencing. It may seem fine to block a geographical region that is known for launching malicious campaigns, but are you sure your organisation has no business dealings with any other person or organisation within that region? While some organisations can easily turn on geofencing controls as they 100% know they have no dealings in that region, larger more complex organisations need to be sure this won’t break critical business processes before going straight into ‘block’ mode.

When turning on geofencing, it’s common for organisation’s to block known regions of bad actors, such as Russia and surrounding states. In practice, I’ve seen this cause issues when the person applying the filtering was unaware the organisation was using developers in Ukraine, which is a common country leveraged for legitimate remote development teams.

And also bear in mind geofencing isn’t perfect. With the use of VPNs and compromised systems in locations outside the blocked zone used for routing and launching attacks, its not fool proof. Again, it’s one small piece of a layered approach to security.

Category Based Filters

One of the oldest types of web filtering control is category based filtering. This is where a database of websites is curated by the vendor providing the services and sites are categorised. Examples include categories like education, gambling, adult content, and online games. Based on your business and potential internet use cases, you pick the categories that are acceptable to your business and allow access, and identify what categories have no real ‘business purpose’ and can be blocked. While this seem simple on the surface and will work for some companies, again you need to know every aspect of your business, what data they need access to, and also, how these categories are defined.

As many know, I was the head of security at a major Australian university for many years and I remember our initial foray into web filtering back at the turn of the century. At that time, it was cutting edge technology so not as advanced as today’s tech, but blocking ‘adult content’ or ‘pornography’ in a university environment doesn’t always work, especially if you have art faculties. There can be a very fine line between adult content containing nude images and nude images produced by artists, and web filtering categories don’t necessarily capture the distinction between the two. This is where you need to understand every aspect of the business, as well as understand how the technology works. Also in that type of environment filled with researchers, it’s hard to know what everyone is legitimately researching.

I have a soft spot in my heart for web filter coaching. If a staff member hadn’t ignored the coaching screens and downloaded ‘innapropriate material’, I never would have met my wife who was the fraud and corruption investigator at the same university ❤️

What is the expectation of ISO 27001 Annex A 8.23?

In the new 2022 standard, Annex A control 8.23 states:

“Access to external websites shall be managed to reduce exposure to malicious content.”

As with all the Annex A controls, they are broad, give us an idea of what the objective of the control is, but is left very open for us to satisfy the objective with technical and process controls that suit our specific business and risk appetite.

ISO 27002 web filtering implementation advice

If you have read my other articles, I always look at the accompanying ISO 27002 standard to gain a better understanding of what ISO 27001 actually wants from each control. While we don’t have to use the implementation advice from 27002, it’s the best way to ensure we are covering what is expected from the control, especially if you are looking at certifying to the standard.

27002 adds a purpose for the control, stating:

“To protect systems from being compromised by malware and to prevent access to unauthorized web resources.”

We talked about this earlier in the article when we discussed why we need web filtering, and according to 27002, we are spot on!

27002’s guidance for this control is one of the smallest of the 11 new controls and basically states:

“The organization should identify the types of websites to which personnel should or should not have access. The organization should consider blocking access to the following types of websites:
a) websites that have an information upload function unless permitted for valid business reasons; b) known or suspected malicious websites (e.g. those distributing malware or phishing contents); c) command and control servers;
d) malicious website acquired from threat intelligence (see 5.7);
e) websites sharing illegal content.”

It also talks about rules being kept up to date and users needing to be educated, stating:

“The training should include the organization’s rules, contact point for raising security concerns, and exception process when restricted web resources need to be accessed for legitimate business reasons. Training should also be given to personnel to ensure that they do not overrule any browser advisory that reports that a website is not secure but allows the user to proceed.”

This last point, that user’s don’t overrule any advisory, is critical for this control to be effective and I will discuss this and why in the next section.

How do I comply with ISO 27001:2022 Annex A A.8.23?

On the surface, 8.23 Web filtering appears to be a purely technical control, but as 27002’s implementation advice alludes to, it requires user training as well to be effective and this is based on how you implement the control. Some controls can be completely hidden from the user, but other’s may require user interaction.

Going back to my earlier anecdote around web filtering and the difficulties within a teaching and learning environment, let’s discuss what 27002’s comment about user’s having the ability to overrule an advisory is about.

In that university example, we have three options:

  1. Continue to block all content from the selected categories and have a negative impact on the business and people’s ability to do what they need to do.
  2. Unblock the category, potential exposing the business to risks such as malware, inappropriate content and other business impacting issues.
  3. Apply what some vendors call ‘coaching’, where the user is advised of the issues relating to the website, such as ‘this site could contain malicious software’, or ‘this site may contain inappropriate material’, but allow the user to still go forward if needed.

The third option provides the best of both world’s but it does open the door to abuse or pose a potential risk to the business if someone visits the wrong site.

In my experience, option 3 has actually worked out very effectively IF you word the coaching screen correctly and limit it to areas or people that may need the option. For example, in an environment where you may need to provide access to content that may be deemed inappropriate, constructing your coaching page with the following text can be highly effective:

“The site you are about to visit has been classified as containing inappropriate material. If you need access to this site for your job role or to complete your studies, please click the ‘ACCEPT’ button to proceed. All access to the site will be logged and monitored.”

I can tell you, no-one clicks through something like this unless they have a real reason to be on the site. No one wants to be logged and questioned on accessing inappropriate content!

The key to implementing effective web filtering is understanding your business, knowing how they use the Internet, and reducing access to sites that pose a risk to the business. Again this isn’t the be all and end all of security controls. It’s another layer that removes additional risks.

Remember, rules are not set in stone

One thing I have talked about before and is critical to understand in the cybersecurity space and when dealing with risk, is we put rules in place in the form of policies and other controls, but they aren’t set in stone. They are risk reduction methods for an ideal situation, but just because we have said we need xyz control for the business as a whole, this doesn’t mean every person or department can or should comply. This is why we have policy exception processes in place, to allow exceptions to the rules, review the risk the exception will pose, and where feasible, implement compensating controls to reduce the risk posed by the exception.

Web filtering is no different. Going back once more to my university example, an arts faculty may need coaching applied to certain web filter categories due to the nature of their courses and subjects. But would an engineering or IT faculty need the same access? Highly doubtful. But if the IT faculty were teaching technical cybersecurity subjects, they may need access to sites that provide information on malicious software that is blocked by your web filtering. Implement full blocking where there is little to no chance it will impact the users, and coaching for other categories that align with their business requirements. I’ve used a university as an example, but it can be the same in any business. Often IT and security teams need exclusions for certain categories of information that could be deemed risky by your filter.

8.23 Web filtering isn’t a complex control, but like almost all controls, they need planned and business involvement to ensure they provide real value and don’t impact on critical business processes. Security is an enabler for the business, not a disabler.

David Morrison

David Morrison

David is the Co-CEO of Morrisec. With a wealth of experience spanning more than two decades, David has established himself as a leading cybersecurity professional. His expertise and knowledge have proven invaluable in safeguarding organisations from cyber threats across a gamut of industries and roles.

0 Comments