ISO 27001 Control 8.23: Web Filtering
Web filtering is your first line of defense against malicious websites, phishing campaigns, and data exfiltration risks. Control 8.23 requires organizations to manage external website access through technical controls that block dangerous content before users encounter it. Without proper filtering, your team remains exposed to sophisticated threats that bypass perimeter security.
What this means
Control 8.23 mandates that organizations implement and maintain web filtering solutions to protect against three primary threats: malicious content (malware, drive-by downloads), phishing attacks (credential harvesting, social engineering), and unauthorized information disclosure (data exfiltration to external sites). This control applies to all external web traffic and should cover both employee devices and network gateways. Filtering must be risk-based, blocking known-malicious domains while allowing legitimate business access.
How to comply
- 1.Deploy web filtering technology at the network gateway and on individual endpoints to inspect HTTP/HTTPS traffic
- 2.Configure blocklists for known malicious domains, phishing sites, and suspicious IP addresses using threat intelligence feeds
- 3.Define category-based policies (gambling, adult content, file-sharing, etc.) aligned to your organization's risk appetite and business needs
- 4.Implement URL reputation checking and DNS filtering to prevent access to newly-registered malicious domains
- 5.Log all web filtering events including blocked requests, blocked categories, and allowed exceptions for audit trails
- 6.Establish an exception process with approvals for legitimate business sites that trigger filtering rules
- 7.Review and update filtering policies quarterly based on emerging threats and business changes
- 8.Conduct user training on phishing recognition and the purpose of web filtering controls
Evidence auditors look for
- Web filtering solution configuration documentation showing active blocklists and category policies
- Threat intelligence feed subscriptions (e.g., Proofpoint, Zscaler, Fortinet threat feeds)
- Sample web filtering logs demonstrating blocked malicious domains and phishing attempts
- Policy document defining approved website categories and exception approval workflow
- Screenshot of filtering dashboard showing block rates, top blocked categories, and threat detections
- Exception approval records for legitimate business websites added to allowlists
- Quarterly policy review meeting notes documenting filtering rule updates
- User awareness training records covering phishing identification and web filtering rationale
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch centralizes web filtering policy management and automatically tracks blocklist configurations, exception approvals, and threat-feed updates in a single audit-ready dashboard—eliminating manual log review and evidence collection.
See how GRCWatch handles this control automatically
Start free trial