A.8.7 Protection Against Malware

What is this control?

ISO 27001 control A.8.7 Protection Against Malware implements a layered, multi-defence malware protection architecture across email, endpoints, servers, and cloud workloads. Layer 1 uses Microsoft Defender for Office 365 with Safe Attachments, Safe Links, and Anti-Phishing. Layer 2 deploys Microsoft Defender for Endpoint on user devices with Attack Surface Reduction rules and Defender for Servers on Azure and Arc infrastructure.

Layer 3 enforces device compliance via Conditional Access. Layer 4 provides monthly security training and phishing simulations.

How to implement in Microsoft 365

Implement A.8.7 by deploying Microsoft Defender for Office 365 with Safe Attachments set to Detonation plus Dynamic Delivery, Safe Links with URL rewriting enabled, and Anti-Phishing with impersonation protection. Deploy Microsoft Defender for Endpoint and onboard all Windows, macOS, and Linux user devices via Intune. Configure Attack Surface Reduction rules to block macros from internet, unsigned scripts, and Office child process creation.

Deploy Defender for Servers on all Azure VMs and Arc-enabled servers. Configure device compliance via Intune requiring AV signature currency and firewall enabled. Enable automated threat isolation for E5 customers.

What an auditor looks for

Auditors will verify Microsoft Defender for Office 365 policies are enabled including Safe Links, Safe Attachments, and Anti-Phishing. They will check MDE is onboarded on 95% or more of managed devices with active sensors reporting. Auditors will verify antivirus signature currency is current with 95% or more of devices within 7 days.

They will check Endpoint Security profiles are deployed for Antivirus, Firewall, ASR, and EDR. Auditors will verify device compliance Conditional Access policy is active and Intune compliance policies require encryption and AV signatures.