An employee visits a compromised industry news site. The site serves a malicious advertisement that exploits a browser vulnerability and installs a remote access trojan — all without a single click. A.8.23 requires that web access is filtered to block known malicious content and unauthorized web resources before they can compromise systems.
Web filtering is a preventive control that sits between users and the internet. It blocks access to known malicious sites, enforces acceptable use policies and reduces the attack surface from web-based threats.
What does the standard require?
- Block malicious websites. Prevent access to sites known to distribute malware, host phishing pages or serve as command-and-control infrastructure.
- Filter by category. Use URL or domain categorization to block access to unauthorized content categories.
- Keep block lists current. Threat intelligence feeds must be updated frequently — malicious domains have short lifespans.
- Define acceptable use. Publish a clear web usage policy that explains what is permitted and what is blocked.
- Train users. Educate employees about web-based threats and how to handle warning messages from the filtering system.
In practice
Deploy DNS-level filtering. Configure all endpoints to use filtered DNS resolvers. Block categories: malware, phishing, newly registered domains (less than 30 days old), command-and-control, cryptomining. This catches threats before the TCP connection is even established.
Add URL-based filtering for deeper inspection. A secure web gateway or cloud proxy inspects full URLs (not just domains) and can block specific pages on otherwise legitimate sites. This provides finer-grained control but requires more infrastructure.
Extend filtering to remote workers. Deploy agent-based DNS filtering or route traffic through a cloud secure web gateway. Without this, remote workers bypass all office-based controls.
Maintain an exception process. Some blocked sites are legitimate for specific roles (security researchers accessing threat intelligence, marketing accessing social media). Provide a documented exception process with time-limited, logged exceptions.
Typical audit evidence
Auditors typically expect the following evidence for A.8.23:
- Web filtering policy — documented rules for web access and blocked categories (see IT Operations Policy in the Starter Kit)
- Filtering configuration — categories blocked, threat intelligence feeds configured
- Filter logs — statistics on blocked requests and categories
- Exception records — approved exceptions with justification
- User awareness evidence — training records on safe web usage
KPI
Percentage of internet access points with active web filtering controls
Measured as a percentage: how many of your internet egress points and remote endpoints have active web filtering? Target: 100%.
Supplementary KPIs:
- Number of malicious site access attempts blocked per month
- Percentage of endpoints with DNS-level filtering active
- Number of filtering exceptions currently active
BSI IT-Grundschutz
A.8.23 maps to BSI firewall and filtering modules:
- NET.3.2 (Firewall) — requirements for content filtering at the network perimeter, including web traffic inspection and category-based blocking.
Related controls
- A.8.7 — Protection Against Malware: Web filtering is part of the layered malware defence strategy.
- A.8.20 — Networks Security: Web filtering operates at the network perimeter as part of network security.
- A.6.3 — Information Security Awareness, Education and Training: User training on safe web usage complements technical filtering.
Sources
- ISO/IEC 27001:2022 Annex A, Control A.8.23 — Web filtering
- ISO/IEC 27002:2022 Section 8.23 — Implementation guidance for web filtering
- BSI IT-Grundschutz, NET.3.2 — Firewall