How do you implement A.8.23 in Microsoft 365?

A.8.23 Web Filtering can be implemented in Microsoft 365 using Microsoft Entra admin center > Global Secure Access > Secure > Web content filtering; Microsoft Defender for Cloud Apps > Policies. Contact Global Micro Solutions for a detailed implementation guide.

What does an auditor check for A.8.23?

Auditors verify that A.8.23 Web Filtering is properly implemented by reviewing evidence from your M365 tenant, checking configuration against ISO 27001 requirements, and validating compliance documentation.

ISO 27001 A.8.23: Web Filtering — M365 Implementation Guide | Global Micro Solutions

What is this control?

ISO 27001 control A.8.23 Web Filtering protects organisational systems from compromise by web-based malware and prevents user access to unauthorised or malicious web resources. The control implements multi-layer defence-in-depth enforced consistently across all user access methods and locations using endpoint filtering via Microsoft Defender for Endpoint, cloud edge filtering via Microsoft Entra Global Secure Access, and branch edge filtering via FortiGate.

How to implement in Microsoft 365

Implement A.8.23 by enabling Microsoft Defender for Endpoint Web Content Filtering on all Windows and macOS endpoints. Configure MDE WCF to block high-risk and legal liability categories including child abuse, criminal activity, hacking, malware, phishing, and adult content. Enforce SmartScreen filtering on Microsoft Edge browsers.

Deploy Network Protection via Intune to filter traffic for Chrome, Firefox, and other non-Edge browsers. Enable Microsoft Entra Global Secure Access Internet Traffic Profile for cloud edge filtering. Deploy FortiGate firewalls with FortiGuard threat intelligence at branch network edges with SSL inspection enabled.

What an auditor looks for

Auditors will verify GSA Internet Traffic Profile is enabled for traffic forwarding through Secure Web Gateway. They will check GSA security profiles are enabled with web content filtering policies linked and actively blocking. Auditors will verify MDE Web Content Filtering is operational with blocking activity recorded in Advanced Hunting.

They will check list of active MDE WCF devices showing deployment coverage and recent block timestamps. Auditors will verify FortiGate firewall configuration shows web filter profiles with FortiGuard categories configured.

M365 capabilities that implement this control

Microsoft Defender for Office 365 Safe Links URL protection

Microsoft Entra Global Secure Access for internet traffic, web filtering, and Private Access tunnels