Malware doesn’t need to be sophisticated to cause catastrophic damage. A single phishing email that slips past basic antivirus can give an attacker a foothold, and without layered defenses, that foothold becomes lateral movement, data exfiltration, and weeks of operational paralysis. ISO 27001 control 8.7 exists because endpoint protection alone was never enough.
What 8.7 requires
ISO 27001 control 8.7 requires organizations to deploy layered detection, prevention, and recovery controls against malware, reinforced by a user awareness program that reduces the likelihood of infection through human error. The control demands more than installing antivirus software on endpoints.
Your organization must build a defense-in-depth strategy that spans multiple attack vectors. This includes Endpoint Detection and Response (EDR) tools that go beyond signature-based scanning, application allowlisting that prevents unauthorized software from executing on critical systems, web filtering that blocks access to known malicious domains, and automated patch management that closes vulnerabilities before attackers weaponize them. Network gateway controls must scan traffic entering and leaving the environment, and email security gateways must filter malicious attachments and links before they reach users.
Recovery controls are equally critical. You need isolated backup infrastructure that ransomware can’t reach, tested restoration procedures, and documented incident response playbooks specific to malware events. The user awareness component isn’t optional window dressing. It requires structured training that teaches employees to recognize phishing, social engineering, and unsafe download behaviors, with regular reinforcement rather than a single annual session.
The scope is broad by design. Every system that processes, stores, or transmits organizational data falls under 8.7, including servers, workstations, mobile devices, and cloud workloads. Organizations pursuing ISO 27001 compliance must treat this control as foundational to their information security management system.
Why 8.7 matters
In a common pattern, an employee at an organization relying solely on signature-based antivirus receives a phishing email with a malicious attachment. The attachment uses a recently discovered technique that bypasses basic AV detection. Within hours, the attacker establishes persistence, moves laterally across flat network segments, and begins exfiltrating sensitive data. The organization discovers the breach weeks later, only after a customer reports suspicious activity. Recovery takes months because backup infrastructure sat on the same network segment, and the ransomware encrypted those systems too.
This scenario plays out with alarming frequency across organizations of every size, and understanding ransomware prevention best practices is critical to avoiding it. Verizon’s 2024 Data Breach Investigations Report found that ransomware or extortion appeared in roughly one-third of all breaches, making it a top threat across 92% of industries. The financial impact extends well beyond ransom payments. Business interruption, forensic investigation, legal counsel, regulatory notification, and reputational damage compound into costs that can threaten organizational viability.
Organizations that fail to implement layered malware defenses face three compounding risk categories:
- Operational disruption: Ransomware can halt business operations for weeks or months, with recovery costs that dwarf the initial ransom demand
- Data breach: Attackers routinely exfiltrate data before deploying ransomware, creating dual extortion scenarios that regulatory disclosure requirements amplify
- Regulatory exposure: Failure to implement reasonable malware protections can result in enforcement actions under GDPR, HIPAA, PCI DSS, and other frameworks that expect defense-in-depth
The cost of recovery extends beyond direct expenses. Customers lose confidence when they learn their data was compromised through preventable failures. Regulatory bodies increasingly treat the absence of layered malware defenses as evidence of negligence rather than an unfortunate oversight, and resources like CISA’s ransomware guidance set baseline expectations. And ISO 27001 auditors will flag single-layer protection strategies as nonconformities during surveillance audits, potentially jeopardizing your certification.
What attackers exploit
Malware campaigns succeed by targeting specific gaps in an organization’s defenses:
- Endpoints without EDR or running outdated signature databases that miss polymorphic and fileless malware
- No application allowlisting, allowing users to install unapproved software that introduces vulnerabilities or acts as a backdoor
- Missing web filtering, giving employees unrestricted access to malicious domains used for drive-by downloads and command-and-control communication
- Unpatched systems with known vulnerabilities that exploit kits target automatically — effective vulnerability management closes these gaps
- No user awareness training, leaving employees unable to recognize phishing emails, malicious attachments, or social engineering tactics
- Lack of network segmentation, enabling lateral movement from a single compromised endpoint to domain controllers and critical databases
- Backups connected to production networks, allowing ransomware to encrypt recovery infrastructure alongside primary systems
- Disabled antivirus without exception management processes, creating blind spots that persist indefinitely
How to implement 8.7
For your organization
Building effective malware protection requires a structured approach that addresses detection, prevention, recovery, and human behavior simultaneously.
Deploy layered malware defenses. Install EDR on all endpoints, configure network gateway scanning for inbound and outbound traffic, and deploy server-side antimalware across your infrastructure. Endpoint detection platforms like CrowdStrike or Microsoft Defender for Endpoint provide behavioral analysis that catches threats signature-based tools miss. Email security gateways should scan attachments in sandbox environments before delivery. Integrate your SIEM or SOAR platform to correlate alerts across these layers, so a suspicious email attachment flagged at the gateway can be cross-referenced with endpoint telemetry showing the same payload attempting execution.
Implement application allowlisting on critical systems. Define approved software inventories for servers and high-value workstations. Block execution of any application not on the allowlist. Start with the most sensitive systems, such as domain controllers and database servers, and expand coverage incrementally. Maintain a change management process for adding new applications to the allowlist so that approvals are documented and auditable.
Establish automated patch management. Configure automated scanning and deployment for operating system and application patches. Prioritize based on Exploitation Prediction Scoring System (EPSS) data and Known Exploited Vulnerabilities (KEV) catalogs rather than CVSS severity alone. Track patch compliance rates and set SLAs for critical vulnerability remediation.
Configure web filtering. Block access to known malicious domains, newly registered domains, and uncategorized sites. Integrate threat intelligence feeds that update block lists automatically. Log all blocked requests for threat hunting and incident investigation. Pay particular attention to DNS-based filtering, which can block malware command-and-control communication even when the malware bypasses other controls.
Build a user awareness training program. Deliver phishing simulations monthly, not annually. Research on human risk factors in cybersecurity confirms that frequency and relevance drive behavior change. Provide role-specific training that reflects the actual threats each team faces. Finance teams should receive training on invoice fraud and business email compromise. IT staff should learn to recognize credential harvesting attacks targeting administrative accounts. Measure click rates, reporting rates, and time-to-report as program effectiveness metrics, and use that data to adjust training content each quarter.
Create a malware exception management process. When business needs require disabling protections temporarily, document the justification, set expiration dates, implement compensating controls, and assign accountability for re-enabling protections. UpGuard User Risk capabilities can help identify when employees use unapproved applications that bypass endpoint protection controls.
Maintain isolated backup infrastructure. Store backups on air-gapped or immutable storage that ransomware can’t modify. Implement the 3-2-1 backup rule as a minimum: three copies of data, on two different media types, with one copy stored offsite or in an isolated cloud environment. Test restoration procedures quarterly against realistic scenarios, including full environment rebuilds and time-to-recovery measurements against your defined Recovery Time Objectives (RTOs).
Establish malware-specific incident response procedures. Document containment steps, including network isolation of affected systems, forensic imaging requirements, communication templates, and escalation criteria. Define clear decision trees for when to pay or refuse ransom demands, who has authority to make that decision, and what legal counsel must be engaged. Run tabletop exercises that simulate ransomware events at least twice per year, and incorporate lessons learned from each exercise into updated playbooks.
Common mistakes:
- Treating antivirus installation as sufficient malware protection without EDR, network controls, or user training
- Excluding non-Windows systems from malware protection strategies, ignoring Linux servers and macOS endpoints
- No exception management process for temporarily disabled protections, creating permanent blind spots
- Annual-only awareness training that doesn’t reinforce recognition skills between sessions
- Storing backups on the same network segment as production systems
- Not testing recovery procedures, discovering backup failures only during an actual incident
For your vendors
Assessing your vendors’ malware protection posture through structured vendor risk management requires going beyond self-attestation. Ask specific questions that reveal the maturity of their defenses.
Questionnaire questions to include:
- What endpoint protection solution do you deploy, and does it include behavioral detection beyond signature matching?
- Do you maintain an application allowlisting policy for production systems?
- What is your mean time to patch critical vulnerabilities?
- How frequently do you conduct phishing simulations, and what are your click and reporting rates?
- Are your backups stored on isolated infrastructure with immutable retention policies?
Evidence to request:
- Current EDR deployment coverage report showing percentage of endpoints protected
- Patch management SLA documentation and compliance metrics for the past 12 months
- User awareness training records showing frequency, participation rates, and simulation results
- Backup architecture documentation demonstrating isolation from production networks
- Malware incident response playbook with evidence of tabletop exercises
Red flags in vendor responses:
- Claiming “antivirus on all systems” without mentioning EDR, behavioral detection, or network-level controls
- Unable to provide patch compliance metrics or patching SLAs
- User awareness training limited to onboarding or annual refreshers
- Backup infrastructure described without isolation or immutability controls
- No documented exception management for disabled protections
Verification should include requesting independent audit reports (SOC 2 Type II, ISO 27001 certification) and checking whether malware protection controls are explicitly covered in the audit scope. Where vendors process sensitive data or connect to your network, request evidence of Security Information and Event Management (SIEM) or Security Orchestration, Automation, and Response (SOAR) platform integration that demonstrates active monitoring and automated response capabilities.
For critical vendors, go beyond documentation review. Ask for live demonstrations of their EDR console showing detection rates and response times. Request evidence of their most recent malware incident and how their controls performed during the event. Vendors who can’t produce this evidence likely have gaps they haven’t measured.
Audit evidence for 8.7
Auditors expect documented evidence that malware controls are operational, maintained, and effective. The key principle is demonstrating that controls are actively managed, not just initially deployed. A thorough cybersecurity risk assessment should inform which artifacts you prioritize. Prepare the following before your assessment, ensuring each reflects current operational state rather than point-in-time snapshots from deployment.
| Evidence type | Example artifact |
|---|---|
| Policy documentation | Malware Protection Policy defining detection tools, update cadence, exception handling procedures, and responsible roles |
| EDR deployment records | Dashboard export showing endpoint coverage percentage, agent versions, and last check-in timestamps |
| Patch management reports | Monthly compliance reports showing patching SLAs, outstanding critical vulnerabilities, and remediation timelines |
| Application allowlisting configuration | Approved software inventory with change management records for additions and removals |
| Web filtering logs | Configuration exports showing blocked categories, threat intelligence feed integrations, and sample block reports |
| User awareness training records | Phishing simulation results with click rates, reporting rates, and training completion records by quarter |
| Backup testing documentation | Quarterly restoration test reports including recovery time measurements and success/failure outcomes |
| Incident response records | Malware-specific playbooks with evidence of tabletop exercises and any real incident post-mortems |
Cross-framework mapping
ISO 27001 control 8.7 aligns with malware protection requirements across multiple security frameworks, reducing duplicate compliance effort when you map controls once and apply evidence across audits.
| Framework | Equivalent control(s) | Coverage |
|---|---|---|
| NIST 800-53 | AT-02 (Literacy Training and Awareness) | Partial |
| NIST 800-53 | SI-03 (Malicious Code Protection) | Full |
| SOC 2 | CC6.8 (Preventing and Detecting Unauthorized Software) | Partial |
| CIS Controls v8.1 | Control 10 (Malware Defenses) | Full |
| NIST CSF 2.0 | PR.PS (Platform Security) / DE.CM (Continuous Monitoring) | Partial |
| DORA | Article 9 (Protection and Prevention) | Partial |
Where coverage is marked as partial, the mapped control addresses a subset of 8.7 requirements. You will need additional controls from the target framework to achieve full equivalence. Maintaining a cross-framework control mapping reduces audit fatigue by allowing you to collect evidence once and apply it across multiple compliance programs. Security Governance, Risk, and Compliance (GRC) platforms can automate this mapping and track evidence freshness across frameworks.
Related ISO 27001 controls
Control 8.7 doesn’t operate in isolation. Effective malware protection depends on supporting controls that govern access, awareness, operations, and monitoring. Understanding these relationships helps you design a cohesive security program where controls reinforce each other rather than operating as independent checkboxes.
| Control ID | Control name | Relationship |
|---|---|---|
| 5.10 | Acceptable use of information and other associated assets | Defines user behavior policies that reduce malware infection vectors |
| 6.3 | Information security awareness, education, and training | Provides the training infrastructure 8.7 requires for user awareness |
| 8.1 | User endpoint devices | Establishes baseline security configurations for endpoints where malware protections deploy |
| 8.8 | Management of technical vulnerabilities | Patch management directly reduces the attack surface malware exploits |
| 8.9 | Configuration management | Ensures systems maintain hardened configurations that resist malware execution |
| 8.13 | Information backup | Provides recovery capability when malware compromises primary systems |
| 8.16 | Monitoring activities | Detects malware indicators through log analysis and behavioral monitoring |
| 8.19 | Installation of software on operational systems | Controls software installation to prevent unauthorized or malicious applications |
| 8.23 | Web filtering | Blocks access to malicious domains that distribute malware payloads |
| 8.32 | Change management | Ensures malware protection configurations are maintained through system changes |
Frequently asked questions
What is ISO 27001 8.7?
ISO 27001 control 8.7 requires organizations to implement layered detection, prevention, and recovery controls against malware, combined with user awareness training. It covers far more than antivirus, including EDR, application allowlisting, web filtering, patch management, network gateway scanning, and isolated backup infrastructure.
What happens if 8.7 is not implemented?
Without the layered defenses 8.7 requires, a single phishing email or unpatched vulnerability can lead to ransomware deployment, data exfiltration, and weeks of operational downtime. Organizations also face regulatory penalties and loss of ISO 27001 certification during surveillance audits.
How do you audit 8.7?
Auditors verify 8.7 by reviewing malware protection policies, EDR deployment coverage reports, patch management compliance metrics, user awareness training records, backup restoration test results, and incident response playbooks. They look for evidence that controls are actively maintained and tested, not just documented.
How UpGuard helps
Malware protection isn’t only about blocking threats at the endpoint. Workforce behavior creates the gaps that malware exploits, from unapproved applications that bypass security controls to compromised credentials that give attackers a head start.
The UpGuard User Risk product discovers these hidden workforce risks and provides the visibility you need to close them before they become incidents.
- User Risk discovers unapproved applications that bypass endpoint protection controls, giving you visibility into Shadow IT and Shadow AI usage across your workforce
- Real-time contextual nudges coach employees at the moment of risky behavior, replacing ineffective annual training with targeted interventions that build lasting secure habits
- Compromised credential monitoring identifies workforce exposure before attackers exploit it, alerting you when employee credentials appear in dark web data breaches