Control 8.7 : Protection Against Malware

Summary

Protection against malware should be implemented and supported by appropriate user awareness. This involves a multi-layered technical defense to detect, prevent, and recover from malicious software across all organizational assets.

Applicability

In-Scope: Mandatory for all organizations. Malware remains one of the most significant threats to data integrity and availability, making this a core technical requirement.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Endpoint Defense: Deploy Microsoft Defender for Endpoint to all managed devices, enforcing real-time protection, behavior monitoring, and cloud-delivered protection.

• Email Security: Utilize Microsoft Defender for Office 365 to scan all incoming attachments and links (Safe Attachments/Safe Links) for malicious content before they reach the user.

• Server Protection: Enable Microsoft Defender for Cloud to protect Azure-hosted servers and workloads from sophisticated malware and ransomware attacks.

Evidence Checklist

• Malware Protection Policy: Rules for the installation, update, and management of anti-malware software.

• Protection Status Reports: Logs from the Microsoft Defender portal showing that 100% of managed devices have active and up-to-date protection.

• Incident History: Evidence of how the organization identified and remediated a recent malware detection.

Practical Audit Advice

Here are some questions the auditor might ask:

• How do you ensure that users cannot bypass or disable the anti-malware software on their company-issued devices?

• What is the frequency of signature and engine updates for your malware protection systems?

• Can you demonstrate the process for isolating a device from the network automatically once malware is detected?

• How are unmanaged files, such as those in personal cloud storage, prevented from introducing malware into the corporate environment?