Framework - ISO 27001 (Cyber)

Annex A.8.23 defines the requirement for organizations to implement web filtering — controls that regulate and monitor user access to online resources. Its objective is to protect networks and users from exposure to malicious, inappropriate, or non-compliant content while maintaining alignment with the organization’s acceptable use policies. In modern environments, filtering extends beyond traditional office networks; it covers remote employees, mobile devices, and cloud-connected endpoints. The control ensures that traffic flowing to and from the internet adheres to defined policies and that high-risk destinations, such as phishing domains or unsanctioned cloud storage services, are automatically blocked. This creates an intelligent perimeter where every outbound request and inbound response can be evaluated for safety and legitimacy.

Web filtering operates through a combination of layered mechanisms that inspect traffic at different points in its journey. At the DNS layer, requests for known malicious domains are blocked before any connection occurs, preventing exposure to phishing or command-and-control servers. URL categorization systems classify websites by content type, risk level, and reputation, enabling policy-based access — for instance, allowing financial news sites but blocking peer-to-peer file sharing. Inline proxy inspection goes deeper, analyzing the payloads of HTTP and HTTPS sessions for malicious scripts, drive-by downloads, or policy violations. For distributed or mobile workforces, cloud-based filtering extends this control beyond the traditional perimeter, applying consistent enforcement even when users connect from home or public networks. The outcome is continuous web hygiene — security that travels with the user rather than remaining locked at headquarters.

The risks mitigated by web filtering are both immediate and reputational. Drive-by downloads and phishing pages are blocked before users can engage with them, drastically reducing the likelihood of malware infection or credential theft. Unauthorized uploads to cloud storage or file-sharing sites are intercepted, preventing accidental data leaks. Productivity drains caused by non-business browsing are curtailed, improving efficiency and reducing the potential for HR violations. From a compliance perspective, filtering also prevents employees from accessing websites that violate organizational ethics or regulatory guidelines, avoiding reputational damage that might arise from misuse. Each benefit reinforces the notion that controlling web access is not about restricting freedom but about enabling safe, reliable connectivity aligned with corporate mission and values.

Auditors evaluating adherence to A.8.23 expect clear, verifiable documentation. This includes a web-filtering policy outlining purpose, scope, and enforcement roles; configuration records showing how rules are applied within DNS, proxy, or firewall systems; and logs demonstrating that blocked and allowed traffic are recorded for review. Exception registers should include approval details and duration limits, proving that temporary allowances are controlled. Reports summarizing monitoring coverage and violation trends provide evidence of ongoing oversight. When properly maintained, these artifacts assure auditors that the organization isn’t relying on static tools but maintains a living system of control that evolves with the threat landscape.

Web filtering practices differ by industry but follow consistent intent. Educational institutions use filtering to block adult content, gaming sites, or social media distractions, balancing safety with academic freedom. Financial institutions restrict access to file-sharing or anonymizing services that could leak confidential information. Healthcare organizations block unsafe or unverified websites that could compromise patient data or introduce ransomware into medical networks. Government agencies deploy multi-layered filtering at departmental gateways to meet security mandates while maintaining operational transparency. Each implementation reflects the same logic: limit unnecessary exposure, maintain compliance, and preserve bandwidth for legitimate business activity.

Despite its strengths, web filtering is not a silver bullet. Over-blocking can frustrate employees and hinder legitimate business functions, creating workarounds that weaken overall security. Encrypted HTTPS traffic can conceal malicious content, challenging inspection systems that lack SSL decryption capability or modern proxy design. Reliance on outdated categorization databases may leave organizations blind to newly emerging threats. Some users deliberately bypass restrictions using VPNs or anonymizing proxies, undermining the control if monitoring and policy enforcement do not extend to endpoint devices. Recognizing and addressing these limitations is essential for keeping filtering effective, adaptive, and aligned with real-world operations.

For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.

Cryptography under A.8.24 encompasses several core functions that collectively uphold data security. Encryption shields confidentiality by transforming readable data into ciphertext, whether protecting files stored on a disk or information traversing a network. Hashing ensures data integrity by producing unique fingerprints that reveal unauthorized alteration. Digital signatures verify authenticity, confirming the identity of senders and preserving non-repudiation in contracts, transactions, and audit trails. Each of these mechanisms depends on the secure management of cryptographic keys — the digital equivalents of physical locks and keys — without which encryption becomes meaningless. ISO emphasizes that cryptography is both a technical and managerial process: it demands precision in configuration and discipline in oversight.

Because cryptography’s strength depends on its keys, key management stands as a cornerstone of A.8.24 compliance. Organizations must establish centralized systems for key generation, storage, and rotation — ideally within dedicated hardware security modules (HSMs) or secure key vaults. Rotation schedules ensure that keys do not persist beyond safe lifetimes, while detailed logging captures every key creation, use, and retirement event. Sensitive or root keys require split knowledge and dual control, meaning no single administrator can generate or activate them alone. When keys are decommissioned, their destruction must be deliberate and documented, preventing future misuse or accidental recovery. These practices protect against both insider threats and technical vulnerabilities, transforming cryptographic trust into verifiable control.

The risks associated with poor cryptographic practice are both subtle and devastating. Reliance on outdated algorithms — such as deprecated hashing functions or weak cipher suites — can expose systems to trivial cracking attacks. Poor implementation, like incorrect padding or insecure random number generation, can render strong encryption ineffective. Unmanaged keys or orphaned certificates may allow unauthorized decryption or impersonation of trusted services. In some jurisdictions, misuse of encryption can even lead to legal penalties if it violates export controls or national restrictions on key length. These risks reinforce ISO’s central message: cryptography must be applied intelligently, updated regularly, and monitored continuously, or it becomes a false promise of protection.

Auditors reviewing A.8.24 compliance expect a structured approach supported by documentation and evidence. A formal cryptography policy should define approved algorithms, key lengths, and use cases, referencing global standards like NIST or ENISA guidance. An inventory of all cryptographic keys, certificates, and algorithms must be maintained, along with metadata describing owners, lifespans, and dependencies. Logs capturing key lifecycle events — generation, use, rotation, and destruction — provide verifiable proof of governance. Records of compliance with regional regulations, such as GDPR requirements for encryption of personal data, demonstrate legal alignment. This collection of materials shows that cryptography is not an ad-hoc safeguard but a managed service woven into organizational governance.

Industries deploy cryptography in ways tailored to their operational realities. E-commerce platforms depend on TLS encryption to secure customer payment information, ensuring both privacy and trust at checkout. Healthcare organizations use encryption to protect electronic medical records, meeting HIPAA’s strict confidentiality mandates. Financial institutions rely on hardware security modules to secure ATM communications, PIN processing, and transaction validation. Defense and aerospace agencies employ classified-level encryption schemes to protect mission data and communication channels. Each example reflects the same universal truth: when handled responsibly, cryptography underwrites trust — trust between systems, between organizations, and between people.

The interplay between web filtering and cryptography defines a balanced model of defense at both the perimeter and the core. Web filtering prevents access to malicious or unauthorized destinations, blocking known vectors of compromise. Cryptography, meanwhile, secures communications that must proceed — ensuring that essential data remains private even as it traverses potentially hostile networks. Both require constant maintenance and adaptation: filtering lists and inspection engines must stay updated with threat intelligence, while cryptographic algorithms and key management practices must evolve to counter new computational capabilities. In audits, these controls are often reviewed together because they reflect two sides of the same principle — restricting what can reach the organization while protecting what must leave it.

Together, Annexes A.8.23 and A.8.24 create a holistic protective envelope around digital operations. Filtering enforces boundaries by defining what is safe to access, reducing exposure to threats and distractions. Cryptography ensures that sensitive data, once authorized for use or transmission, remains shielded from interception or tampering. These controls work in tandem to defend the organization at multiple layers — one focused on prevention, the other on preservation. ISO’s inclusion of both underscores a foundational reality of cybersecurity: safety depends not just on what we block but also on how we protect what must flow. In unison, these two controls uphold the confidentiality, integrity, and availability of information in motion, at rest, and at the boundary where the digital and human worlds meet.