ISO 27001 Compliant Web Filtering

What Is the ISO 27001 Specification?

ISO 27001 (or ISO/IEC 27001:2022) is a series of guidelines that define how to create an Information Security Management System (ISMS). An ISMS comprises a framework of policies that helps establish, implement, maintain, and continually improve an organization’s information risk management processes.  Annex A of ISO 27001 provides a series of security controls that offer a way to proactively identify and manage cyber threats in a continually evolving threat landscape.

ISO 27002 is a supplementary standard that describes, in detail, the security controls listed in Annex A of ISO 27001.

Over time, changes in the threat landscape have meant that the security controls have required amendments and reorganization. ISO 27001 now lists 93 controls, grouped into four themes:

1. Organisational (37 controls)
2. People (8 controls)
3. Physical (14 controls)
4. Technological (44 controls)

Examples of controls in the latest version (ISO27001:2022) include:

• Threat intelligence
• Information security for the use of cloud services
• Security awareness and training
• ICT readiness for business continuity
• Physical security monitoring
• Configuration management
• Information deletion
• Data masking
• Data leakage prevention
• Monitoring activities
• Web filtering
• Secure coding

During ISO 27001 accreditation, any controls not implemented by an organization must be justified in an SoA (Statement of Applicability).

Web filtering is an essential element in the ISO 27001 security controls. Web filtering is found in ISO 27001:2022 Annex A Control 8.23, “Access to external websites should be managed to reduce exposure to malicious content.”

Control 8.23 identifies web filtering as a security measure to prevent access to malicious or inappropriate websites. Using web filtering to comply with ISO 27001 ISMS security controls helps reduce the risks associated with malware infections and data breaches. ISO 27001 Control 8.23 recommends blocking high-risk websites, enforcing least privileged access, and training staff on safe internet use.

Auditors require evidence that your company is actively preventing access to malicious websites. This can be achieved by generating reports using a web filter, such as WebTitan.

Why Is ISO 27001 So Important?

Internet-based threats are continually evolving. In recent years, AI-powered threats have posed challenges for detecting and preventing ransomware, malware infections, phishing, and data breaches. ISO 27001 provides a set of standards and guidance that reflects the current state of play in the cyber threat landscape. The policies and security controls provided by ISO 27001 are proactive measures. Together, they form a systematic approach to securing the data, people, and resources of an organization in the form of an Information Security Management System (ISMS).

When fully implemented, the security controls cover the entire organization's digital and physical infrastructure.  ISO27001 also incorporates a business’s people and its organizational requirements to ensure that cybersecurity is a holistic exercise.

Having a comprehensive and systematic approach to securing your organization’s assets shows your customers, clients, and business partners that you take security seriously and will protect their data as well as your own.

Having a protected ISMS offers insight into the robust security posture of an organization. In an era of sophisticated, evasive, and complex cyber threats, a comprehensive cybersecurity approach based on ISO 27001 demonstrates to the world that your company is serious about security.

What Businesses Need ISO 27001 Accreditation?

ISO 27001 accreditation is not a legal requirement. However, many tenders, especially government bids, either require ISO27001 accreditation or give preference to vendors who can demonstrate they use recognized security controls.

Industries that fall into the category of critical infrastructure, such as telecoms, government, financial, healthcare, utilities, and manufacturing, should be ISO 27001 accredited.

Any organization with ISO 27001 offers demonstrable proof of its commitment to securing data and digital assets.

As such, a company with ISO 27001 accreditation has a competitive advantage over those without it.

Do All Web Filtering Services Meet ISO 27001 Specification?

ISO27001 accreditation is awarded to a company, not a product. However, web filtering is a control within ISO27001 (Annex A: 8.23) and, as such, a web filtering service must meet the requirements of this control.

When evaluating a web filter to meet ISO 27001 Control 8.23, look for the following features and capabilities:

Proactive malicious website detection

The evolving threat landscape is challenging. Malicious domains are automatically generated. Conventional web filters use a hard-coded database of known malicious URLs. Choose a web filter that utilizes machine learning, trained using a vast threat corpus. AI-powered web filters are dynamic and able to identify emerging and zero-day threats.

Cloud-based web filtering

A cloud-based web filter is scalable, easier to manage, and configure. This helps ensure that important changes are made quickly to maintain protection.

Dealing with encrypted malicious websites

Most malicious websites use HTTPS to trick people into believing they are secure.  A compliant web filter must be able to handle encrypted (HTTPS) websites.

Evidence of compliance

ISO27001 accreditation and audit requires proof of adherence to the security controls under Annex A. A web filter must be able to generate comprehensive reports on demand or using automation.

Access management and policies

A web filter must control access to the configuration and management. The filter must also provide granular policy enforcement based on groups or individuals.

TitanHQ has ISO 27001 certification.

What Are The ISO 27002 Information Security Controls?

Four categories

1. Organisational (37 controls)
2. People (8 controls)
3. Physical (14 controls)
4. Technological (44 controls)

93 controls

ISO27001: 2005 was updated to ISO27001: 2022 to include 11 new controls; ISO 27001 Annex A web filtering is one of the new controls.

Five attributes

1. Control types
2. Information security
3. Cybersecurity concepts
4. Operational capabilities
5. Security domain

Some examples of controls include the following:

Organizational:

Control 5.1: Policies for information security

Control 5.7 Threat intelligence

Control 5.12: Classification of information

Control 5.15: Access control

People:

Control 6.3: Information security awareness, education, and training

Control 6.7: Remote working

Physical:

Control 7.2: Physical entry

Control 7.6: Working in secure areas

Control 7.10: Storage media

Technological:

Control 8.5: Secure authentication

Control 8.7:  Protection against malware

Control 8.12: Data leakage prevention

Control 8.23: Web filtering

Control 8.24: Use of cryptography

ISO 27001 provides the scope and design to create an ISMS, and ISO27002 gives guidance on the controls that protect the ISMS.

WebTitan and ISO 27001 Compliance

ISO 27001: 2022 included the new control 8.23, web filtering. This new control builds upon existing controls that overlap with a web filter, namely, Control 8.7: protection against malware and Control 8.16 monitoring of activities.

WebTitan is an advanced AI-powered web filter that meets the requirements of ISO27001 for web filtering and other related controls. WebTitan features that help an organization to meet the requirements of ISO 27001 are as follows:

• Real-time URL threat protection powered by machine learning trained using 650 million end users and growing.
• A real-time database containing over 3 million malicious URLs, phishing sites, and IP addresses.
• Every single day, TitanHQ identifies 100,000 NEW malicious threats and URLs.  
• Real-Time categorization and malicious detection for domains, full-path URLs, and IP addresses.
• Industry-leading ​99.9% Coverage​ and over ​99% Accuracy​ of ActiveWeb URLs & IPs 
• 100%​ coverage of the top 1 million most visited websites (ActiveWeb) 
• Highly granular categories, which include malicious, objectionable, and topic-based groups 
• 10​ ​Malicious​ categories, including Botnet, Phishing/Fraud, Malware Distribution Point, Command and Control, Cryptocurrency Mining, Ad Fraud, and more. 
• Malicious URLs are revisited daily to determine if they are still infected, abandoned, or cleaned. This ensures that our malicious database stays as “fresh” and accurate as possible. 
• Support for over ​200 ​languages.
• Real-time continuous updates​ provide up-to-the-minute protection against newly identified malicious sources.

Alternatives to ISO 27001 Accreditation

ISO 27001 is an international standard. However, there are alternatives to ISO 27001 accreditation. Some of these alternatives are as follows:

SOC2 (System and Organization Controls Type 2)

Targeted at service providers who store client data in the cloud. Based on the five Trust Services Criteria. Main geography – USA.

NIST CSF 2.0 (Cyber Security Framework)

A general framework consisting of a series of security best practices in implementing policies, processes, and measures to protect an organization against cyber-attacks. Main geography – USA.

ASD Essential Eight

Recommended for all businesses. Promotes three main objectives, each with security controls to detect, prevent, and respond to cyberattacks. Geography – Australia.

Cyber Essentials

A UK government initiative that provides guidelines for security. Targets all types and sizes of UK companies. Seen as a stepping stone to broader security standards, such as ISO 27001. Geography – UK

ESA UAE Information Assurance Standards (IAS)

IAS uses a threat-based approach to cyberattack mitigation. Like ISO27001, IAS is a continuous process to set in place controls to mitigate information security risks. Geography – UAE.