Malware threats are prevalent and pose a significant risk to organizations.
Malware can cause a range of problems, including data breaches, network outages, and financial losses.
Therefore, it is essential for organizations to have adequate controls against malware.
This is where A.12.2.1 of the ISO 27001 standard comes into play, which requires organizations to review their malware policies, procedures, and guidelines. In this article, we will discuss the key components of A.12.2.1 and provide a sample checklist that organizations can use to assess their controls against malware.
- Review the organization’s malware policies, procedures, and guidelines to ensure they are comprehensive and up-to-date.
- Check the organization’s white-list or black-list of applications that can or cannot be used in the enterprise.
- Review the process for compiling, managing, and maintaining the white-list or black-list and ensure it is performed by authorized personnel.
- Review the organization’s malware protection and incident response procedures and a sample of malware incident reports.
- Check if all relevant devices, including standalones, portables, embedded devices, and IoT things, are subjected to frequent virus checks.
- Evaluate if infection levels are minimized and the situation is broadly under control.
- Review the process for updating anti-virus software, both manually and automatically, and check if it is performed regularly.
- Check if malware detected by scanners is reported to an appropriate coordinator, and if the notification is manual, verify the proportion that gets notified.
- Review if there is adequate protection against ransomware, Trojans, worms, spyware, rootkits, keyloggers, Advanced Persistent Threats, etc.
- Evaluate if technical vulnerabilities are managed, and if the organization has appropriate ongoing training and awareness covering detection, reporting, and resolution of malware for users, managers, and support specialists.
- In the event of a serious incident, review the associated controls to investigate and resolve the incident, including rapid detection of outbreaks and network isolation, escalation to management, notification of affected parties, invocation of business continuity arrangements, forensic analysis, etc.
A.12.2.1 of the ISO 27001 standard requires organizations to have adequate controls against malware to minimize the risk of data breaches, network outages, and financial losses.
To comply with this requirement, organizations should review their malware policies, procedures, and guidelines regularly.
They should also evaluate their controls against malware by using the checklist provided above.
By doing so, organizations can ensure that they have adequate controls in place to protect their information assets from malware threats.