Ransomware encrypts 40,000 files in under four minutes. The initial infection came through a macro in an email attachment that the antivirus did not flag because the payload was less than a day old. A.8.7 demands a layered defence against malware — detection software alone is explicitly insufficient.
Modern malware evades signature-based detection, operates fileless in memory and spreads laterally within minutes. The control requires a combination of technical measures, user awareness and recovery capability.
What does the standard require?
- Deploy detection and prevention software. Install anti-malware or EDR solutions on all endpoints and servers, with automatic updates.
- Implement application control. Use whitelisting or application control to limit which software can execute.
- Block known malicious sources. Filter web traffic and email to block known malicious domains, URLs and file types.
- Scan regularly. Scan all files, email attachments and web downloads for malware. Perform scheduled full-system scans.
- Train users. Ensure employees can recognize common malware delivery methods (phishing, malicious attachments, drive-by downloads).
- Prepare for recovery. Maintain tested backup and recovery procedures to restore systems after a malware incident.
In practice
Deploy EDR across all endpoints and servers. Ensure coverage includes Windows, macOS and Linux systems. Configure automatic signature updates and behavioural detection. Integrate alerts into your SIEM or incident management workflow.
Implement application whitelisting on critical systems. On servers and kiosks, allow only approved applications to run. On workstations, consider a softer approach: block known malicious categories and alert on unknown executables.
Enable email and web filtering. Block executable attachments (EXE, SCR, BAT, PS1) in email. Filter web traffic to block known malicious domains. Use DNS-level filtering for an additional layer.
Conduct phishing simulations. Regular simulated phishing exercises train users to recognize and report suspicious messages. Track click rates over time and provide targeted training for repeat offenders.
Typical audit evidence
Auditors typically expect the following evidence for A.8.7:
- Anti-malware policy — documented strategy covering detection, prevention and recovery (see Endpoint Security Policy in the Starter Kit)
- EDR/AV coverage report — percentage of endpoints with active, current protection
- Signature update logs — evidence of timely updates
- Malware incident records — documented incidents with response and remediation details
- Phishing simulation results — user awareness metrics over time
KPI
Percentage of endpoints with current and active anti-malware protection
Measured as a percentage: how many of your endpoints have an active EDR/AV agent with signatures updated within the last 24 hours? Target: 100%.
Supplementary KPIs:
- Number of malware detections per month (trend analysis)
- Phishing simulation click-through rate (target: below 5%)
- Mean time to contain a malware incident
BSI IT-Grundschutz
A.8.7 maps to BSI modules for malware protection and incident handling:
- OPS.1.1.4 (Protection Against Malware) — the core module. Requires anti-malware software on all IT systems, automatic updates, regular scans and user awareness.
- DER.2.1 (Incident Management) — procedures for handling malware incidents, including containment, eradication and recovery.
Related controls
- A.8.1 — User Endpoint Devices: Malware protection is a core component of the endpoint security baseline.
- A.8.8 — Management of Technical Vulnerabilities: Unpatched vulnerabilities are a primary malware entry point.
- A.8.23 — Web Filtering: Web filtering blocks malware delivery channels.
Sources
- ISO/IEC 27001:2022 Annex A, Control A.8.7 — Protection against malware
- ISO/IEC 27002:2022 Section 8.7 — Implementation guidance for protection against malware
- BSI IT-Grundschutz, OPS.1.1.4 — Protection Against Malware