ISO 27001:2022 A 8.23 Web filtering

The control is regarding Access to external websites which should be managed to reduce exposure to malicious content.Web filtering is a technique that monitors and manages the locations where users are browsing on the Internet, enabling an organization to either allow or block web traffic in order to protect against potential threats and enforce corporate policy.There is a risk of malware attacks on corporate networks and information systems if employees visit websites with malicious content. For example, attackers could send phishing emails to employees’ work emails, enticing them to click on links and visit websites. If an employee visits this website, malware may be automatically uploaded to the employee’s device, enabling infiltration into corporate networks. In this attack, malware is automatically downloaded once the employee accesses a website, referred to as a drive-by download.Therefore, organisations must implement appropriate web filtering controls to restrict and control access to external websites and prevent security threats. The organization must establish policies for the use of online resources which may include restricting access to undesirable or inappropriate websites and web-based applications, which may include an allow-list of acceptable websites or domains or a prohibited-list of websites or domains.A web filter, analyzes the web applications accessed by users and restricts access to block listed websites, content, and domains deemed malicious or inappropriate by admins. Organizations employ web filtering software to block potential cyber risks, limit user interactions on websites, and prevent unsafe or explicit content from being accessed by users.

Internet filtering is one of the layers of network security that thwarts cyber risks and maintain productivity. Admins might use web filters to:

  • Block known dangerous websites or harmful URLs that may contain, for example, malware, or spyware.
  • Restrict access to potential emails containing phishing links.
  • Prevent users or students from accessing explicit content, gaming websites, or video streaming sites.
  • Block access to personal data storage applications .
  • Allow only websites or cloud applications authorized by the organization.


Access to external websites should be managed to reduce exposure to malicious content.


To protect systems from being compromised by malware and to prevent access to unauthorized web resources.

ISO 27002 Implementation Guidance

The organization should reduce the risks of its personnel accessing websites that contain illegal information or are known to contain viruses or phishing material. A technique for achieving this works by blocking the IP address or domain of the website(s) concerned. Some browsers and anti-malware technologies do this automatically or can be configured to do so. The organization should identify the types of websites to which personnel should or should not have access. The organization should consider blocking access to the following types of websites:

  1. websites that have an information upload function unless permitted for valid business reasons;
  2. known or suspected malicious websites (e.g. those distributing malware or phishing contents);
  3. command and control servers;
  4. malicious website acquired from threat intelligence ;
  5. websites sharing illegal content.

Prior to deploying this control, the organization should establish rules for safe and appropriate use of online resources, including any restriction to undesirable or inappropriate websites and web-based applications. The rules should be kept up-to-date. Training should be given to personnel on the secure and appropriate use of online resources including access to the web. The training should include the organization’s rules, contact point for raising security concerns, and exception process when restricted web resources need to be accessed for legitimate business reasons. Training should also be given to personnel to ensure that they do not overrule any browser advisory that reports that a website is not secure but allows the user to proceed.

Other information

Web filtering can include a range of techniques including signatures, heuristics, list of acceptable websites or domains, list of prohibited websites or domains and bespoke configuration to help prevent malicious software and other malicious activity from attacking the organization’s network and systems.

This control requires you to manage which websites your users are accessing, in order to protect your IT systems. This way, you can prevent your systems from being compromised by malicious code, and also prevent users from using illegal materials from the Internet.You could use tools that block access to particular IP addresses, which could include the usage of anti-malware software. You could also use non-tech methods like developing a list of forbidden websites and asking users not to visit them.You should set up processes that determine which types of websites are not allowed, and how the web filtering tools are maintained. Make employees aware of the dangers of using the Internet and where to find guidelines for safe use, and train your system administrators on how to perform web filtering. Organisations should establish and implement necessary controls to prevent employees from accessing external websites that may contain viruses, phishing materials, or other types of illegal information. One effective technique to prevent access to dangerous external websites is blocking the IP address or domain of websites identified as dangerous. For instance, some browsers and anti-malware tools enable organisations to do this automatically. Organisations should determine which types of websites should not be accessed by employees. In particular, the following types of websites should be blocked:

  • Websites with information upload functionality. Access should be subject to permission and should only be granted for valid business reasons.
  • Websites that are known or suspected to contain malicious material, such as websites with malware content.
  • Command and control servers.
  • Malicious websites obtained from threat intelligence. Organisations should refer to Control 5.7 for more details.
  • Websites distributing illegal content and materials.

Before designing and implementing this Control, organisations are advised to put in place rules for safe and appropriate access to and use of online resources. This should also include imposing restrictions on websites that contain inappropriate materials. These rules should be reviewed and updated at regular intervals.

All staff should be provided with training on how to access and use online resources safely. This training should cover the organisation’s own rules and should address how staff can raise his/her security concerns by contacting the relevant individual within the organisation. Furthermore, training should also address how staff can access restricted websites for valid business reasons and how this exception process works for such access. Last but not the least, training should address browser advisory that warns users that a website is not secure but that permits users to proceed. Staff should be instructed not to ignore such warnings.

Web filtering provides an organization with the ability to control the locations where users are browsing, which is important for a number of reasons:

  • Malware Protection: Phishing and other malicious sites can be used to deliver malware and other malicious content to users’ computers. Web filtering makes it possible for an organization to block access to websites that pose a threat to company and user security.
  • Data Security: Phishing sites are commonly intended to steal user credentials and other sensitive data. By blocking access to these pages, an organization limits the risk that such data will be leaked or breached.
  • Regulatory Compliance: Companies are responsible for complying with a growing number of data protection regulations, which mandate that they protect certain types of data from unauthorized access. With web filtering, an organization can manage access to sites that are likely to try to steal protected data and ones that may be used intentionally or unintentionally to leak data (such as social media or personal cloud storage).
  • Policy Enforcement: Web filtering enables an organization to enforce corporate policies for web usage. All types of web filtering can be used to block inappropriate use of corporate resources, such as visiting sites containing explicit content.

Types of Web Filtering
A web filtering service can work in a variety of ways. One of the ways by which web filtering solutions can be differentiated is by how they define acceptable content. Web filters can be defined in a few ways, including:

  1. Allow Listing: Allow lists are designed to specify the sites that a user, computer, or application is permitted to visit. All web traffic is compared to this list, and any requests with a destination not included on the list are dropped. This provides very strict control over the sites that can be visited.
  2. Block Listing: Block lists are the exact opposite of allow lists. Instead of specifying the sites that a user can visit, they list sites that should not be visited. With a blocklist, all traffic is inspected and any traffic to a destination on the list is dropped. This approach is commonly used to protect against known-bad locations, such as phishing sites, drive-by malware downloads, and inappropriate content.
  3. Content Filtering: Content and keyword filtering makes decisions whether to allow or block traffic based upon the content of a webpage. For example, an organization may have filters in place to block visits to sites containing explicit content. When a request is made, the content of the site is inspected and the site is blocked if the policy is violated. This filtering approach enables an organization to block malicious or inappropriate sites that they don’t know exist.

In addition to filter types, different web filtering solutions can differ in terms of where they look to apply their rules. Filters can be applied in a few different ways, such as:

  • DNS Filtering: The Domain Name Service (DNS) is the phone book of the Internet, translating domains (like to the IP addresses used by computers to route traffic. DNS filtering monitors requests for DNS lookups and allows or blocks the traffic based upon policy.
  • URL Filtering: A URL is the address of a webpage. URL filtering inspects the URLs contained within web requests and determines whether or not to allow a request to go through based on policy.
  • Content Filtering: Content filtering looks at the contents of a requested webpage. If a response violates policy, then it is blocked.

Finally, web filtering solutions can be classified by where the filter is applied. The options for this include:

  • Client-Side Filtering: Client-side web filtering is performed by software installed on a user’s computer. It inspects all outbound and inbound traffic and allows or blocks it based upon policy.
  • Server-Side Filtering: Server-side filtering is performed via a solution located either on-premises or in the cloud. All web traffic is routed through this solution, providing it with visibility and control

Leave a Reply