Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Starter Kit · Policy

Endpoint Security & Malware Protection Policy

Updated on 6 min Reviewed by: Cenedril Editorial
A.8.1A.8.7 ISO 27001BSI SYS.2.1BSI OPS.1.1.4

Laptops, smartphones, tablets — every endpoint that touches corporate data is a potential attack vector. The Endpoint Security & Malware Protection Policy defines how these devices are hardened, encrypted, monitored and remotely wiped when things go wrong.

ISO 27001 addresses the topic through two Annex A controls: A 8.1 (User Endpoint Devices) governs the physical and logical protection of endpoints, A 8.7 (Protection Against Malware) covers defence against malicious software. BSI IT-Grundschutz dedicates several modules to endpoints (SYS.2.1 for clients, SYS.3.1 and SYS.3.2 for mobile devices, INF.9 for remote work, OPS.1.1.4 for patch management). Further down you will find the complete template in English and German.

What this policy covers

Endpoint security spans the entire device lifecycle — from initial setup with a hardened configuration through to secure decommissioning. The policy establishes mandatory minimum standards for every device that accesses corporate data, regardless of whether it is company-owned or enrolled as a BYOD device.

It governs: which hardening measures apply out of the box? When must patches be installed? Who may install software? How are mobile devices managed? What happens on loss or theft? And how do you defend against malware that gets past all preventive measures?

Malware protection is tightly coupled with endpoint hardening. An anti-malware solution running on an unhardened device without current patches provides only the illusion of security. Both topics belong in one document.

Why does it matter so much?

Endpoints are the most common entry point. The majority of successful attacks begin at the endpoint — via phishing email, compromised USB drive or drive-by download. A hardened endpoint stops most of these attacks outright or contains them at an early stage.

Remote work has expanded the attack surface. Laptops travel, connect to hotel Wi-Fi and cafe hotspots, and get left behind on trains. Without full-disk encryption, MDM and clear behavioural rules, every lost laptop is a potential data breach.

Malware evolves faster than manual response. Signature-based protection alone has not been sufficient for years. The policy therefore requires centrally managed anti-malware with real-time protection, behaviour-based detection and automatic updates — with no option for users to disable it.

What goes into it?

The template covers ten core areas:

  • Endpoint hardening (A 8.1) — secure configuration baseline, Secure Boot, ASLR/DEP enabled, 5-minute screen lock, USB ports disabled by default
  • Full-disk encryption — mandatory for laptops and mobile devices, recovery keys in a separate key management system
  • Mobile Device Management (MDM) — enrolment for all mobile devices, remote wipe on loss, theft or termination
  • Software installation — restricted to an approved catalogue, no admin privileges for end users
  • Patch management — Critical 72 h, High 14 d, Medium 30 d, end-of-life systems upgraded or isolated
  • Personal firewall — active on all endpoints, regardless of network location
  • Anti-malware (A 8.7) — centrally managed, real-time protection, behaviour-based detection, cannot be disabled
  • BYOD — containerisation / work profile, written BYOD acknowledgement with remote wipe consent, IP ownership clause
  • Wireless communications — Bluetooth off when not in use, no auto-connect to unknown networks, deprecated protocols disabled
  • User responsibilities — session management, theft reporting within 2 hours, physical security in public

How to roll it out

  1. 01

    Inventory your device estate

    You need a complete picture: how many laptops, smartphones and tablets access corporate data? How many are company-owned, how many BYOD? Which operating systems and versions are in use? Are there devices running end-of-life operating systems? This inventory is the foundation for every subsequent step — and shows you immediately where the biggest risks lie.

  2. 02

    Define and deploy the hardening baseline

    Establish a mandatory security configuration: Secure Boot, ASLR/DEP, screen lock after 5 minutes, USB ports disabled, full-disk encryption enabled. Enforce this baseline through a centralised configuration management tool (Intune, Jamf, Ansible, etc.). Devices that do not meet the baseline are denied access to corporate resources.

  3. 03

    Set up MDM and anti-malware

    Enrol all mobile devices in the MDM system. Ensure the anti-malware solution is centrally managed, real-time protection is active, and users cannot disable it. At the same time, define your BYOD rules: containerisation, written agreement, remote wipe consent.

  4. 04

    Operationalise the patch process

    Set up an automated patch cycle that enforces the policy timelines: 72 hours for critical patches, 14 days for high, 30 days for medium. Define an escalation process for devices that remain unpatched after the deadline — up to and including network isolation. End-of-life systems are upgraded or (if that is not possible) moved to an isolated network segment.

  5. 05

    Train and communicate

    Endpoint security only works if users are on board. Communicate the three most important behavioural rules: report theft within 2 hours, do not install software outside the catalogue, lock your screen when leaving your workstation. Short, concrete instructions stick — a 40-page document gets ignored.

Where it goes wrong in practice

From audit experience, sorted by frequency:

1. Full-disk encryption “forgotten”. The policy is in place, but 15% of laptops are unencrypted. Typical cause: devices were deployed before the policy was introduced and were never retrofitted. A central report on the encryption status of all devices is the simplest countermeasure.

2. Patch timelines on paper only. Critical patches are supposed to be applied within 72 hours, but patch management runs manually with no escalation. Two weeks later, 30% of devices are still exposed. Automation and network isolation for unpatched devices solve the problem.

3. BYOD without an agreement. Employees use personal smartphones for email and Teams without a BYOD agreement in place. On departure, it turns out that corporate data sits on the personal device — and nobody has the authority to perform a remote wipe.

4. Anti-malware with local admin exceptions. The solution is centrally deployed, but developers have local admin rights and disable real-time protection because it slows down build processes. In the audit, proof of unbroken coverage is missing.

5. Theft not reported within the deadline. The policy requires reporting within 2 hours, but affected individuals either do not know (or report the next working day). In the meantime, a remote wipe could have contained the damage. Regular awareness sessions and a clearly communicated reporting channel are decisive.

Template: Endpoint Security & Malware Protection Policy

Full policy text

Endpoint Security & Malware Protection Policy

.md · EN.md · DE

Document control
Owner: [POLICY_OWNER_ROLE, e.g. Information Security Officer]
Approved by: [APPROVER_NAME_AND_ROLE]
Version: [VERSION]
Effective date: [EFFECTIVE_DATE]
Next review: [NEXT_REVIEW_DATE]

1. Legal/Regulatory Basis

ISO/IEC 27001:2022 / ISO/IEC 27002:2022, Annex A — Technological Controls:

  • A 8.1 — User Endpoint Devices
  • A 8.7 — Protection Against Malware

BSI IT-Grundschutz:

  • SYS.2.1 (General Client) — including A1 (Secure Authentication and Activation of Clients), A3 (Auto-Update Mechanisms), A6 (Anti-Virus Programs), A8 (Securing the Boot Process), A16 (Deactivation of Unnecessary Components), A24 (Handling of External Interfaces), A26 (Exploitation Protection), A28 (Client Encryption), A31 (Local Packet Filters), A33 (Application Control), A42 (Use of Cloud Services)
  • SYS.3.1 (Laptops) — including A1 (Rules for Mobile Use), A3 (Screen Lock), A9 (Secure Remote Access), A12 (Loss Reporting), A13 (Encryption of Laptops), A14 (Suitable Storage)
  • SYS.3.2.1 (Smartphones/Tablets General) — including A1-A8, A11, A22, A28, A32, A33 (use policy, lock screen, OS/app updates, privacy settings, storage encryption, web filtering, device management, security apps)
  • SYS.3.2.2 (Mobile Device Management) — including A1, A2, A4, A7, A20, A21, A22 (MDM strategy, permitted end devices, base configuration distribution, app approval, security setting reviews, certificate management, remote wipe and lock)
  • INF.9 (Mobile Workplace) — A2 (Rules for Mobile Storage Media and Devices), A8 (Security Policy for Mobile Workplaces)
  • OPS.1.1.4 (Protection Against Malware) — A1 (Concept for Protection), A2 (System-Specific Protection Mechanisms), A3 (Anti-Virus Selection), A5 (Operation and Configuration), A6 (Regular Updating), A7 (Awareness and Commitment), A9 (Reporting of Virus Findings)

Additional jurisdiction-specific laws — in particular data protection law (GDPR), employment law (governing device monitoring and remote wipe) and works council co-determination — are listed in the Legal Register and incorporated by reference.

2. Purpose & Scope

This policy governs the secure configuration, use and protection of user endpoint devices and the defence against malware at [YOUR_ORGANISATION_NAME]. It implements the requirements of ISO/IEC 27002:2022 A 8.1 (User Endpoint Devices) and A 8.7 (Protection Against Malware) and the corresponding BSI IT-Grundschutz requirements for clients, laptops, mobile devices and malware protection.

The policy applies to all endpoint devices that process, store or transmit organisational information — including desktop computers, laptops, smartphones, tablets and any privately owned device used for business purposes. It covers organisation-owned and bring-your-own devices (BYOD), all operating systems and form factors and all locations including home offices, public spaces and third-party premises.

All employees, contractors and third parties who use endpoint devices to access organisational systems or information are subject to this policy. IT operations teams, system administrators and device owners carry specific responsibilities as defined in Section 8.

3. Endpoint Device Configuration & Hardening (A 8.1)

All user endpoint devices are configured and maintained in accordance with a documented secure configuration baseline. Configuration is centrally managed where technically feasible; deviations from the baseline require documented risk acceptance by the Information Security Officer. Unused components, interfaces and services are disabled to reduce the attack surface. Memory protection mechanisms — specifically Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP) — are enabled on all supported platforms. The boot process is secured using Secure Boot or equivalent mechanisms to prevent unauthorised code execution before the operating system loads.

3.1 Information Classification & Device Registration

  • Information Classification & Processing Limits: Endpoint devices are authorised to process and store information up to a defined classification level. Devices handling information above the standard classification tier require additional hardening measures and are documented separately in the asset inventory. The classification level authorised for each device class is specified in the device configuration baseline and reviewed annually.
  • Device Registration: Every endpoint device is registered in the asset inventory before being connected to organisational systems or used to process organisational information. The registration record includes the device identifier, owner, classification level authorised, MDM enrolment status and assigned user. Unregistered devices are blocked from accessing organisational systems. All mobile devices — including those used for remote access — are enrolled in the Mobile Device Management (MDM) system before use, as required by the Remote Working & BYOD Policy and the Cryptography Policy.

3.2 Physical Protection

  • Physical Protection Requirements: Endpoint devices are physically protected against unauthorised access, damage and environmental hazards. Devices left unattended in the workplace are locked using a password-protected screen lock that activates after a maximum of five minutes of inactivity. Fixed workstations in areas accessible to visitors are placed so that screens cannot be viewed from corridors or common areas. Devices in shared spaces are secured to fixed structures using physical locking mechanisms where the risk of theft justifies this.

3.3 Software Management & Updates

  • Software Installation Controls: Users are not permitted to install software on organisational endpoint devices without prior authorisation from IT operations. Software installation is technically restricted: on managed devices, administrative privileges required for installation are not granted to standard user accounts, and where technically feasible, installation is restricted to an approved software catalogue or application allowlist. Software requests are submitted through the designated approval process. Personally installed software on BYOD devices used for organisational purposes is subject to the restrictions defined in Section 5.
  • Software Versions & Updates: All endpoint devices run supported software versions for which security updates are available. Operating systems and applications are configured for automatic updates; automatic update mechanisms are activated and set to apply security patches at least daily. Where automatic updating is technically infeasible, a documented patch management procedure defines maximum patch intervals by severity: critical vulnerabilities are remediated within 72 hours, high-severity within 14 days and medium-severity within 30 days. Devices running end-of-life operating systems are either upgraded, isolated from the network or risk-accepted in writing.

3.4 Network Connections & Firewalls

  • Network Connections & Personal Firewalls: All endpoint devices are protected by a locally active packet filter (personal firewall) configured to block unauthorised inbound connections. When operating outside the organisational network — including from public Wi-Fi or home networks — laptop devices connect to organisational resources exclusively via an encrypted VPN tunnel. The personal firewall remains active regardless of network location. Cloud service access is limited to the approved services defined in the software catalogue; use of unapproved cloud storage or synchronisation services for organisational data is prohibited. Home networks used for remote work are configured to meet minimum security standards: WPA3 or WPA2-AES encryption, changed default router credentials and current firmware.

3.5 Access Controls & Authentication

  • Access Controls & Authentication: Access to endpoint devices is controlled through secure authentication. Shared accounts are prohibited on individual endpoint devices. A screen lock with password protection activates automatically after a maximum of five minutes of inactivity. On smartphones and tablets, a complex lock code is enforced; devices are configured to auto-lock and to perform a factory reset after a defined number of failed unlock attempts. Default manufacturer credentials on newly provisioned devices are changed before deployment. Multi-factor authentication is required for remote access to organisational systems (see the Access Control Policy).

3.6 Storage Encryption

  • Storage Encryption: All laptops and mobile endpoints are protected by full-disk encryption using an approved encryption mechanism. Encryption covers all internal storage and, where technically supported, removable storage media including SD cards inserted into the device. Recovery keys or escrow keys are stored centrally in a secured key management system separate from the encrypted device, in accordance with the Cryptography Policy. Devices without functioning encryption are not used to process organisational information until encryption is restored.

3.7 Malware Protection on Endpoints

  • Endpoint Malware Protection: All endpoint devices run an enterprise-grade anti-malware solution with real-time protection enabled (see Section 7 for detailed malware protection requirements). The anti-malware solution is centrally managed; users are not permitted to modify protection settings, disable real-time scanning or create exclusions without documented approval from IT operations. Endpoint malware scanning provides a compensating control for encrypted traffic that bypasses gateway-level content inspection.

Detailed malware protection requirements — including anti-malware deployment, scanning scope, update procedures and exception handling — are defined in Section 7.

3.8 Remote Disable, Wipe & Lockout

  • Remote Disable, Wipe & Lockout: All mobile endpoint devices — smartphones, tablets and laptops — are enrolled in the MDM system to enable remote disable, remote wipe and remote lockout. Remote wipe is triggered upon confirmed loss or theft of a device, upon termination of a user's access rights, or upon a security incident determination by the Information Security Officer. The remote wipe procedure is tested at least annually. For BYOD devices, remote wipe is scoped to the organisational container or work profile to avoid deletion of personal data, except where a compromise of organisational information requires full-device wipe.

3.9 Backups

  • Endpoint Backups: Organisational data stored on endpoint devices is backed up to a centrally managed backup infrastructure. Where technically feasible, backup synchronisation is automated and continuous. The backup frequency and retention period are defined in accordance with the IT Operations Security Policy. Users working remotely ensure that devices are connected with adequate network bandwidth to complete scheduled backup operations. Data stored exclusively on a local device that has not been backed up is treated as at risk; users are required to synchronise local data with central systems before extended travel or offline periods.

3.10 Web Services & Applications

  • Web Services & Web Applications: Access to web services and web applications from endpoint devices is limited to approved services listed in the software catalogue (see the Acceptable Use Policy). Web browsers are kept up to date and are configured in accordance with the device security baseline. Web access on smartphones and tablets is subject to web filtering controls to block known malicious domains. Downloading files from unapproved external sources to organisational endpoints requires that the files pass through anti-malware scanning before opening.

3.11 User Behaviour Analytics

  • User Behaviour Analytics: Where implemented, endpoint-based user and entity behaviour analytics (UEBA) tools operate on endpoint devices to detect anomalous activity patterns — such as abnormal data access volumes, unusual login times or bulk file operations — that may indicate account compromise or insider threat. The deployment, scope and data retention of behaviour analytics are governed by the applicable data protection requirements and, where applicable, works council or co-determination agreements. Monitoring activities and their legal basis are documented in the processing activities register. Alerts generated by behaviour analytics are investigated in accordance with the incident management procedure.

3.12 Removable Devices & Physical Ports

  • Removable Devices & Physical Ports: The use of removable storage media — USB drives, external hard disks, memory cards and similar devices — on organisational endpoints is restricted to approved devices listed in the asset inventory. Unapproved removable media is blocked at the operating system level where technically feasible. USB ports are disabled by default on managed endpoints; exceptions for specific business purposes — such as USB-C connections used exclusively for power delivery or display output — are documented and technically scoped to the permitted function only. All files transferred via removable media are scanned for malware before use. The loss or unauthorised use of removable media containing organisational data is reported as a security incident.

3.13 Data Partitioning & Local Storage Restrictions

  • Data Partitioning: On devices used for both organisational and personal purposes, organisational data and applications are technically separated from personal content using containerisation, work profiles or equivalent partitioning mechanisms. Organisational applications in the work profile are prevented from accessing personal data, contacts, media and applications. Data can only be shared between organisational and personal partitions via the approved mechanisms defined in the MDM policy.
  • Highly Sensitive Information — Access-Only Mode: Certain categories of information are designated as access-only: they may be viewed remotely but are not downloaded to or locally stored on endpoint devices. For such information, the device configuration disables local download, local caching and the use of removable storage (including SD cards) during access sessions. The categories of information subject to access-only restrictions are defined in the information classification framework and enforced via technical controls in the relevant applications or MDM policy.

4. User Responsibilities (A 8.1)

Users of endpoint devices carry personal responsibility for implementing the physical and logical security controls applicable to their devices. Failure to comply with the requirements in this section is treated as a policy violation subject to the disciplinary process (see the HR Security Policy).

4.1 Session Management

  • Session Management: Users log out of active sessions and terminate services — including VPN connections, remote desktop sessions and web application sessions — when they are no longer needed and before leaving a device unattended for an extended period. Active sessions are not left open on shared or public-access devices. Temporary session tokens and cached credentials on shared devices are cleared after use. Where applications do not automatically terminate idle sessions, users manually log out before ending the working session.

4.2 Device Security & Physical Controls

  • Preventing Unauthorised Use: Users protect their endpoint devices against unauthorised use through both physical and logical controls. Devices are never left unattended without the screen lock activated when sensitive information is displayed or accessible. Where available, physical security mechanisms — cable locks, device safes, key-locked storage — are used for fixed workstations and stored laptops. Logical access protection (password, PIN, biometric) is enabled at all times; passwords and PINs are never shared with colleagues or written down in proximity to the device.
  • Security in Public & Open Spaces: Users take particular care when working with endpoint devices in public places, open-plan offices and meeting rooms. Privacy screens are used on laptops and mobile devices where others could view the display. Sensitive conversations and screen content are shielded from bystanders. Connections to public Wi-Fi networks are made only via VPN. Unencrypted email and file access over public networks is avoided.
  • Physical Security Against Theft: Users physically secure endpoint devices against theft in all locations away from the regular workplace. Laptops and mobile devices are not left visible and unattended in vehicles, hotel rooms, conference facilities or public transport. In hotel rooms, laptops are stored in the room safe or locked in a bag when not in use. Devices are not left unattended in conference or training venues during breaks. The secure storage guidelines for mobile workplaces define minimum standards for different location types.

4.3 Theft & Loss Procedures

  • Theft & Loss Reporting: The loss or theft of any organisational endpoint device — or a privately owned device used for organisational purposes — is reported to IT operations and the Information Security Officer immediately upon discovery, and no later than within two hours during business hours. The report triggers the remote wipe and disable procedure defined in Section 3.8. A recovered device that was previously reported as lost or stolen is not reconnected to organisational systems until IT operations have performed a security assessment and reinstalled the operating system and applications from a clean baseline. The incident is documented in the incident management system.

5. Bring Your Own Device (A 8.1)

The use of privately owned devices to access or process organisational information — including email, documents and internal applications — is governed by this section. BYOD devices are registered and MDM-enrolled before first use. All general endpoint security requirements in Sections 3, 4 and 6 apply to the organisational work profile or container on BYOD devices. IT operations maintain an approved list of device types and operating system versions eligible for BYOD use.

5.1 Separation of Personal & Business Use

  • Separation of Personal & Business Use: Organisational data on BYOD devices is stored exclusively within the designated work profile or organisational container. Personal applications do not have access to the work profile and its data; organisational applications do not access personal photos, contacts, messages or files outside the container. The containerisation technology used is supported by the MDM system. Where technical separation cannot be enforced by the MDM solution, the device is not approved for BYOD use. Business data is never stored in personal cloud accounts, personal email or messaging applications.

5.2 User Acknowledgement & Remote Wipe

  • User Acknowledgement & Remote Wipe Consent: Before a BYOD device is enrolled in the MDM system, the user signs a BYOD acknowledgement confirming: (a) physical protection and software update obligations identical to organisation-owned devices; (b) that organisational data on the device remains the property of the organisation and the user holds no ownership rights to it; (c) explicit consent to remote wipe of the organisational container or work profile in the event of loss, theft, termination of employment or security incident; (d) awareness that, in exceptional circumstances where selective wipe is technically insufficient, a full device wipe may be performed; and (e) awareness of personal data protection implications — in particular that the MDM system does not access personal data outside the work profile, and that the applicable privacy information notice has been read and understood.

5.3 Intellectual Property

  • Intellectual Property: Work content created using organisational applications on a BYOD device — including documents, designs, source code, analyses and communications — belongs to the organisation. A separate topic-specific policy or employment agreement clause governs the ownership of content developed using personal applications on the same device during working hours, to prevent intellectual property disputes. Users are made aware of these boundaries before BYOD enrolment.

5.4 Access for Verification & Investigation

  • Access for Verification & Investigation: The organisation's right to access a privately owned device for security verification or forensic investigation is limited to the organisational container or work profile managed by the MDM system. Access to personal data outside this scope is not exercised by the organisation except where required by applicable law (e.g. a court order). Where legislation in a user's jurisdiction prevents even container-level access or forensic examination, this is assessed before BYOD approval in that jurisdiction, and alternative controls (organisation-owned device) are provided if access cannot be guaranteed.

5.5 Software Licensing

  • Software Licensing: The organisation does not deploy client software on BYOD devices in a manner that would make the organisation liable under software licence agreements for personal use of that software on the same device. Where organisational applications carry per-seat or per-device licences, the licence terms are reviewed before deployment to BYOD devices to confirm that personal use of the same device does not constitute an unlicensed use. Users do not install organisational software on BYOD devices other than the applications approved and deployed via the MDM system.

6. Wireless Connections (A 8.1)

Wireless connectivity on endpoint devices is configured to minimise exposure to eavesdropping, unauthorised access and protocol-level attacks. Users do not alter wireless configuration settings on managed devices beyond permitted personalisation.

6.1 Wireless Interface Configuration

  • Wireless Interface Configuration: Wireless interfaces on endpoint devices are configured in accordance with the security baseline. Bluetooth is disabled when not in active use. Automatic connection to unknown or open Wi-Fi networks is disabled; devices connect automatically only to explicitly trusted networks defined in the MDM configuration. Deprecated wireless protocols known to have security vulnerabilities (e.g. WEP, WPA-TKIP, Bluetooth profiles that permit unauthenticated pairing) are disabled at the operating system level. On laptops, the personal firewall (see Section 3.4) is active on all wireless interfaces. External interfaces beyond those required for the device's operational purpose are disabled.

6.2 Bandwidth & Connectivity Requirements

  • Bandwidth & Connectivity Requirements: Certain endpoint operations — including operating system updates, application updates, backup synchronisation and MDM policy pushes — require wired or high-bandwidth wireless connections. Users ensure that their devices are connected to a sufficiently fast network to complete scheduled update and backup operations within their defined windows. Where mobile data connections are the only option, large updates and backup operations are deferred to the next available high-bandwidth connection unless the operation is security-critical.

7. Malware Protection (A 8.7)

Malware — including viruses, ransomware, spyware, trojans, worms and other malicious code — poses a persistent threat to organisational systems and information. Protection against malware is implemented as a layered defence-in-depth strategy covering network gateways, email systems, endpoints and servers. A malware protection concept defines which systems require protection, the mechanisms used and the responsibilities for their operation. Operating system-native security mechanisms (e.g. Windows Defender, macOS XProtect) are activated as a baseline and supplemented by enterprise-grade tools where required by risk assessment.

7.1 Unauthorised Software Prevention

  • Application Allowlisting & Unauthorised Software Prevention: Application control (allowlisting) is implemented on endpoint devices to prevent execution of unauthorised software. Only applications from the approved software catalogue or from trusted sources approved by IT operations are permitted to run. Execution control mechanisms are configured to block unsigned or unknown executables, scripts from untrusted locations and interpreted scripts (e.g. PowerShell, VBScript) not originating from approved paths. On smartphones and tablets, apps are installed only from officially approved app stores; sideloading from unapproved sources is prohibited. Blocked execution attempts are logged and reviewed by IT operations.

7.2 Malicious Website Controls

  • Malicious Website Controls: Access to known and suspected malicious websites is prevented through DNS-based or proxy-based blocklisting on all endpoints. The blocklist covers categories including malware distribution sites, phishing sites, command-and-control infrastructure, exploit kit landing pages and sites known to host drive-by download attacks. On mobile devices, web filtering is enforced via the MDM-deployed security app or browser configuration. The blocklist is updated automatically from the threat intelligence sources defined in Section 7.12. Attempts to access blocked sites are logged and periodic review of blocked access logs is performed to identify targeted attack patterns.

7.3 Vulnerability Reduction

  • Vulnerability Reduction: The attack surface available to malware is reduced through systematic vulnerability management. Operating systems, applications and browser plugins are kept current in accordance with the patch management schedule defined in Section 3.3. Unnecessary software, services and features are removed or disabled. Technical vulnerability management — including regular scanning, prioritisation and remediation tracking — is governed by the vulnerability management process. Memory exploitation protection (ASLR, DEP) is enabled on all supported endpoints. The principle of least privilege is applied to endpoint accounts to limit the damage a piece of malware can cause if it executes under a user account.

7.4 Automated Validation & Integrity Checking

  • Automated Validation & Integrity Checking: Systems supporting critical business processes are subject to regular automated validation of software integrity and data content. File integrity monitoring is configured on critical servers and workstations to detect unauthorised modifications to executables, configuration files and data directories. Detected unauthorised files or unexpected changes to monitored paths trigger alerts for immediate investigation by IT operations. Integrity check results and alerts are reviewed at defined intervals; anomalies are escalated to the Information Security Officer and documented in the incident management system.

7.5 External File & Software Protection

  • External File & Software Protection: Files and software obtained from external networks (internet downloads, email attachments, cloud sharing services) or delivered on removable media are scanned for malware before use. Users do not open email attachments or downloaded files without confirmed malware scan completion. Software obtained from external sources is verified against a published hash or digital signature before installation. Files received via encrypted channels that bypass gateway scanning are scanned by the endpoint anti-malware solution before opening, providing the compensating control required by the Information Transfer Policy and the Cryptography Policy.

7.6 Anti-Malware Deployment

  • Anti-Malware on Endpoints & Removable Media: An enterprise anti-malware solution with real-time protection and on-demand scanning is installed on all endpoint devices. The solution includes detection of malware in compressed and archived files. Signature databases and detection logic are updated automatically and at least daily from the vendor's update infrastructure. All data received via networks and all files on electronic storage media are scanned before first use. Scan results and detection events are reported centrally.
  • Email, Instant Messaging & Download Scanning: Anti-malware scanning is applied at multiple layers for email and communications: at the email server before delivery to user mailboxes, at the email client on the endpoint and for files downloaded from web and file-sharing services. Attachments in email and instant messaging are scanned before the user can open them. Where a gateway email scanner and an endpoint email scanner are both in place, both are maintained and updated independently to provide defence-in-depth coverage.
  • Web Page Scanning: Anti-malware capabilities are applied to web content accessed by endpoint devices. Browser-integrated protection and endpoint-based web scanning examine web pages on access for embedded malicious code, drive-by download scripts and malicious redirects. Web page scanning works in conjunction with the blocklisting controls defined in Section 7.2 to provide layered coverage.
  • Placement & Configuration of Anti-Malware Tools: Anti-malware tools are placed and configured based on a risk assessment using a defence-in-depth approach: network gateway, endpoint devices, email servers and file servers each carry appropriate detection and blocking controls. The risk assessment considers attacker evasion techniques, including encrypted file formats and encrypted communication protocols that limit gateway-level inspection. Configuration is reviewed at least annually and after significant infrastructure changes. Detection sensitivity is set to maximise malware detection while maintaining an acceptable false-positive rate documented in the malware protection concept.

7.7 Maintenance & Emergency Procedures

  • Maintenance & Emergency Procedure Controls: Maintenance activities and emergency procedures that require temporarily bypassing normal access controls or security monitoring — such as applying out-of-band patches, performing disaster recovery operations or granting elevated emergency access — carry an elevated risk of malware introduction through unmonitored channels. For such procedures, IT operations apply compensating controls including: scanning all tools and media introduced during maintenance before use, performing post-maintenance integrity checks on affected systems and reviewing event logs for the maintenance window. Emergency procedures that bypass security controls are documented, time-limited and reviewed by the Information Security Officer after completion.

7.8 Exception Process for Malware Protection Deactivation

  • Exception Process for Malware Protection Deactivation: Temporary or permanent deactivation of malware protection on a system requires a formal exception process. The requesting party documents the justification, the systems affected, the duration of deactivation, the compensating controls applied during the exception period and a defined review date. The Information Security Officer approves the exception in writing before deactivation. Approved exceptions are tracked in the exception register and reviewed at the defined review date or upon a relevant change in circumstances. Permanent deactivation exceptions are re-approved annually. Unapproved deactivation of malware protection is treated as a security incident.

7.9 Business Continuity & Recovery

  • Business Continuity & Recovery from Malware Attacks: Business continuity plans address recovery scenarios involving malware attacks, including ransomware incidents, system-wide infections and data corruption events. The plans define recovery procedures, responsible persons, recovery time objectives and communication channels. Both online backups (for rapid recovery) and offline backups isolated from the production network (for ransomware scenarios where online backups may be encrypted) are maintained. Backup and recovery procedures are tested at intervals defined in the business continuity plan to verify that clean recovery is achievable within the recovery time objective.
  • Isolation of High-Consequence Environments: Environments where a malware infection could have catastrophic consequences — such as industrial control systems, safety-critical infrastructure, systems holding large volumes of sensitive personal data or financial transaction systems — are isolated from general corporate networks through network segmentation. Communication between isolated environments and other systems is restricted to defined, monitored channels. Isolation controls are tested periodically. Malware incidents in or adjacent to isolated environments trigger immediate network isolation procedures.

7.10 Procedures & Responsibilities

  • Procedures & Responsibilities: Documented procedures define responsibilities and required actions for malware protection operations, including: initial deployment and configuration of anti-malware tools; response to malware detection alerts (automated blocking, quarantine, investigation, eradication, recovery); reporting detected malware to the Information Security Officer and, where applicable, to supervisory authorities or affected parties; and post-incident review. Responsible parties for each procedure are assigned by role. All personnel with malware response responsibilities receive training covering tool use, escalation paths, reporting requirements and recovery steps.

7.11 Training & Awareness

  • Training & Awareness: All users receive awareness training covering the identification and mitigation of malware threats. Training content includes: recognising malware-infected emails — including phishing, spear-phishing and business email compromise attempts — and suspicious attachments; identifying likely malicious files, programs and browser extensions; the steps to take upon suspecting or encountering a malware infection; and reporting channels and response contacts. Initial training is completed before a user first accesses organisational systems, with annual refresher training thereafter.

7.12 Threat Intelligence

  • Threat Intelligence Collection: IT operations regularly collect current information about new and emerging malware threats from defined intelligence sources. These sources include vendor security bulletins, national CERT/CSIRT feeds (e.g. BSI CERT-Bund), industry information sharing communities and curated threat intelligence mailing lists. Threat intelligence is reviewed at least weekly; critical threat information that warrants immediate action is acted on upon receipt. New threat information is used to update detection signatures, blocklists, awareness content and — where applicable — security controls.
  • Verification of Threat Intelligence Sources: Information about new malware and malware-related alerts — including warning notices, patch advisories and detection recommendations — is sourced only from qualified and reputable providers. Before acting on threat intelligence (e.g. applying a patch, blocking an IP range, triggering an incident response), the source is verified as authoritative. Warning notices received via informal channels (social media, forwarded emails) are cross-checked against official vendor and CERT publications before action is taken. Unverified threat warnings are not distributed to all users without prior verification to avoid unnecessary alarm.

8. Roles & Responsibilities

  • Top Management: Approves this policy, ensures adequate resources are allocated for endpoint security and malware protection infrastructure, and promotes a security-aware culture across the organisation.
  • Information Security Officer (ISO): Maintains this policy and the malware protection concept, approves exceptions to malware protection deactivation, reviews alerts and incidents, coordinates incident response for malware events, and ensures alignment with current threat intelligence and regulatory requirements.
  • IT Operations: Implements and maintains the endpoint configuration baseline, MDM enrolment and management, anti-malware platform, patch management, application allowlisting, remote wipe capability and centralised monitoring. Responds to malware detection alerts, performs post-loss device reinstatement assessments and maintains the backup infrastructure. Manages wireless configuration and external interface controls on managed devices.
  • Device Owners / All Users: Use endpoint devices in accordance with this policy, apply required physical security measures, report loss or theft immediately, comply with BYOD registration and acknowledgement requirements, complete mandatory awareness training and report suspected malware infections or anomalous device behaviour to IT operations without delay.
  • HR / People Management: Ensures that BYOD acknowledgement documentation is completed and retained as part of the onboarding process, and that policy violations related to endpoint use are addressed through the disciplinary process.
  • System & Application Owners: Ensure that applications and systems under their ownership are included in vulnerability scanning, patch management and integrity monitoring programmes and that access-only controls are implemented for information classified at levels requiring access-only processing.

9. Review & Maintenance

This policy and the associated malware protection concept and endpoint configuration baseline are reviewed:

  • At least annually, to verify continued alignment with current threat intelligence, vendor security guidance, BSI IT-Grundschutz recommendations and regulatory requirements.
  • After any significant malware incident or endpoint-related security breach, to identify control gaps and implement improvements.
  • When new endpoint device classes, operating systems or form factors are introduced into the organisation's device fleet.
  • When significant changes occur to the organisation's IT infrastructure, network architecture or remote working arrangements.
  • When new regulatory requirements or applicable BSI or ISO guidance affecting endpoint security or malware protection are published.
  • Following changes to the BYOD programme — including new device types, jurisdictions or user groups — to ensure legal compliance and technical feasibility.

Exception records for malware protection deactivation are reviewed at the review dates specified in each exception approval, and collectively at least annually. The anti-malware solution configuration and the application allowlist are reviewed at least annually by IT operations and approved by the Information Security Officer.

Sources

ISO 27001 Controls Covered

A.8.1 User endpoint devices A.8.7 Protection against malware

Frequently asked questions

Do I really need full-disk encryption on every laptop?

Yes. ISO 27001 A 8.1 requires endpoint devices to be protected against loss and unauthorised access. Full-disk encryption (BitLocker, FileVault, LUKS) is the most effective measure against data loss from theft. Without it, a stolen laptop is enough to expose confidential data — even if the operating system is password-protected.

What happens to personal data on BYOD devices during a remote wipe?

Container solutions (e.g. a separate work profile on Android or an MDM partition on iOS) ensure that a remote wipe only erases the corporate partition. The policy requires a written BYOD agreement in which the individual explicitly consents to selective remote wipe. There is still a residual risk, which is why the template recommends avoiding business-critical data on BYOD devices altogether.

How do I enforce the 72-hour deadline for critical patches?

Through a combination of centralised patch management (WSUS, Intune, Jamf, etc.) and an escalation process. Devices that remain unpatched after 72 hours are automatically isolated from the network or denied VPN access. That sounds drastic, but an unpatched critical vulnerability is an open door.

Can users install software themselves?

The policy restricts installation to an approved software catalogue. Admin privileges for end users are disabled. If someone needs software outside the catalogue, the request goes through a documented approval process. This prevents unpatched or malicious applications from landing on corporate devices.

Is UEBA mandatory under this policy?

UEBA (User and Entity Behavior Analytics) is included in the template as a recommended measure for anomaly detection, but it is not required for baseline compliance. If you deploy UEBA, you must meet data protection requirements — in particular a Data Protection Impact Assessment and (where applicable) consultation with the works council. The policy addresses this explicitly.

Does the personal firewall requirement apply inside the corporate network?

Yes. The policy requires a personal firewall on every endpoint regardless of network location. Lateral movement within the internal network is one of the most common escalation paths after an initial compromise. Relying solely on the perimeter firewall leaves endpoints unprotected once an attacker is inside.