iso27002-changes-dqs-a code of letters and numbers

Implementing Web Filtering and Encryption in Line with ISO 27001 Controls A.8.23 – A.8.24

Brad Fabiny

DQS Product Manager - Cyber Security and ISO 27001, ISO 9001 auditor
Apr 24 , 2025
# Information Security Standards
# Information Security and Data Protection
# Information Security and Risk Management
# Information security in an organization

As digital threats continue to evolve, controlling how users access the internet and protecting data through encryption are essential elements of any modern information security management system (ISMS). These are addresses through the two key controls: A.8.23 Web Filtering and A.8.24 Use of Cryptography in ISO 27001:2022. 

In this post, we explore these controls and provide practical tips on how your organisation can implement them effectively to strengthen your security posture and support ISO 27001 compliance.

A.8.23 Web Filtering

The aim of this new control is to protect systems from being compromised by malware and to prevent access to unauthorized web resources.

Web filtering is the term used to block IP addresses or domains of suspicious websites. This can be done by limiting access to websites which contain illegal information or are known to contain viruses or phishing materials. Some internet browsers and anti-malware technologies will do this automatically or can be configured to do this.

You should determine whether staff should have access to the internet and what types of websites they have access to. For example, some companies have whitelists of websites their staff are able to access, others will blacklist sites or sites from various countries where malware is known to be hosted. Things to consider are and restrict access to Google, which can limit the ability of staff to find help troubleshooting business problems which the encounter, where answers may already be posted.

As part of this, you should have a policy outlining your rules for safe and appropriate use of online resources, including restrictions on inappropriate websites and web-based applications. Staff should also be trained on these rules, and on web use, with a process for how they can request access to restricted sites based on legitimate work reasons. 
 

A.8.24 Use of cryptography

Cryptography is a critical enabler of secure digital business. It supports secure communications, protects data at rest and in transit, and helps organisations comply with legal, regulatory, and contractual requirements. To meet control A.8.24 of ISO 27001 requires organisations to implement cryptographic controls appropriately—while also recognising that cryptography is complex, and misconfigurations or poor key management can create vulnerabilities.

This implementation of this can be separated into two activities.

Policy 

Firstly, you need to develop and implement a policy on the use of cryptographic controls.

This is often implemented by having a policy that outlines how you will use cryptographic controls. Industry recognised algorithms and protocols which have been proven to be resilient to attack and strong enough to protect your assets should be used.

The policy should also outline when you will use cryptography, linking back to your data classifications and considering any regulatory or other requirements. You should consider and detail requirements for the two key states of your data: in transit and at rest.

Cryptographic Lifecycle

Secondly, you need to develop and implement a policy on the use, protection and lifetime of cryptographic elements throughout their whole lifecycle.

This can be implemented by creating a policy on how you will use keys for managing encryption and decryption. To start with, this should consider using a centralised key management system to store and manage keys and securing access to keys to only those who require it by role-based access.

The rotation and revocation processes to manage key lifecycle should be automated where possible, with access logging and MFA enforced where human access is required. Ensure that key storage mechanisms in any cloud storage are well understood and best practices as recommended by the provider are utilised.

Of course, ensure that systems using encryption are maintained through patching, and your encryption processes are tested. Cryptographic systems utilised should be included in logging and alerting, with access attempts, any key creation and usage, certificate expirations monitored.

Summary

Managing the use of encryption to meet this control isn't about applying encryption everywhere, it's about applying it wisely. A clear policy, strong key management, adherence to best practices, and periodic reviews will ensure cryptography becomes a strength rather than a liability in your information security management system.
 

Other Posts

Author
Brad Fabiny

DQS Product Manager - Cyber Security and auditor for the ISO 9001, ISO 27001 standards and information security management systems (ISMS) with extensive experience in software development.

Relevant articles and events

You may also be interested in this
Blog
iso-27018-certification-dqs-display of multiple servers during programming

Keeping Systems in Sync: Managing Time, Privileged Tools, and Software Installation in ISO 27001:2022 Controls A.8.17 – A.8.19

Read more
Blog
Monitor showing a hacked system

Watch, Detect, Respond: Tips for Logging & Monitoring Activity on your system with ISO 27001:2022 Controls A.8.15 and A.8.16

Read more
Blog
data protection-information security-dqs-keyboard secured with combination lock

Data Resilience: Protecting Against Leaks, Loss, and Downtime with ISO 27001:2022 Controls 8.12 – 8.14

Read more

Any Questions?

We are here for you.
Contact Us