Control Definition
Organizations must control which external websites their users can reach, so exposure to malicious web content—phishing pages, malware downloads, and similar web-borne threats—is reduced.
Control Objective
To protect the organization from web-based threats by controlling and filtering employee access to external websites, blocking malicious sites, preventing access to inappropriate content, and reducing the attack surface for phishing, malware, and data leakage.
What This Really Means
Web filtering means using technical controls to block or restrict employee access to certain websites based on security and business policies. This includes blocking known malicious sites that host malware or phishing pages, restricting access to non-work-related categories (social media, gaming, streaming) during business hours, and preventing downloads of dangerous file types.
Think of web filtering like a security checkpoint for internet traffic: just as security guards check IDs and bags before allowing entry to a building, web filters inspect every URL employees try to access, compare it against threat intelligence feeds and policy rules, and either allow the connection, block it, or require approval. Filters also scan downloaded files for malware before they reach user computers.
This control requires you to deploy web filtering technology (secure web gateway, DNS filtering, or proxy server), subscribe to threat intelligence feeds identifying malicious domains, define acceptable use policies for web access, configure category-based blocking aligned with business needs, log web access for security monitoring, and regularly review and tune filtering rules. The goal is preventing web-based attacks and policy violations while maintaining productivity.
Why It Matters
Web browsers are among the most common attack vectors—employees clicking malicious links in emails, visiting compromised websites that exploit browser vulnerabilities, or accidentally downloading malware. Web filtering is essential defense-in-depth.
Without web filtering, organizations face:
- •Phishing and Credential Theft – Employees clicking email links land on fake login pages stealing usernames/passwords; web filters block access to known phishing sites before credentials can be entered
- •Malware and Ransomware Infections – Drive-by downloads from compromised websites, malicious browser extensions, and trojanized software installers infect corporate networks; filters block malware-hosting domains
- •Data Leakage Through Web Uploads – Employees uploading confidential documents to personal cloud storage, file sharing sites, or pasting into web-based AI tools; filters can block or require approval for such sites
- •Productivity Loss from Non-Work Browsing – Time spent on social media, shopping, streaming video during work hours reduces productivity; category-based filtering enforces acceptable use
- •Bandwidth Consumption – Streaming video and large downloads consume network bandwidth affecting business-critical applications; filtering controls bandwidth usage
Indian organizations face additional threats: localized phishing campaigns in Hindi/regional languages, fake government websites mimicking EPFO/Aadhaar portals, and malicious sites targeting Indian banking customers. Web filtering with India-specific threat intelligence is crucial.
Implementation Guidance
Deploy Web Filtering Technology
Choose and implement web filtering solution: (1) Secure Web Gateway (SWG) - cloud-based or on-premise appliance (Zscaler, Cisco Umbrella, Symantec WSS) providing URL filtering, malware scanning, DLP, (2) DNS filtering - blocks malicious domains at DNS level before connection established (Cloudflare Gateway, Quad9, OpenDNS), (3) Proxy server - intercepts HTTP/HTTPS traffic for inspection (Squid, Blue Coat), (4) Endpoint protection - browser-based filtering on each device (built into some antivirus solutions). For remote workers, ensure filtering applies regardless of location (cloud-based SWG or always-on VPN forcing traffic through corporate filters).
Subscribe to Threat Intelligence Feeds
Enable real-time protection against emerging threats: subscribe to URL reputation services (Google Safe Browsing, Microsoft SmartScreen, PhishTank) that maintain databases of millions of known malicious domains, integrate threat intelligence feeds providing indicators of compromise (malware C2 domains, phishing sites, exploit kit URLs), and enable automatic updates (new threats emerge hourly; filters must update continuously). Most commercial web filtering solutions include built-in threat intelligence; for open-source solutions, integrate feeds manually via APIs or DNS blocklists.
Define and Configure Website Category Blocking Policies
Categorize websites and define access policies: Block always (malware/phishing sites, illegal content, known malicious domains), Block during business hours (social media, streaming video, gaming, shopping) - allow outside work hours if desired, Warn but allow (uncategorized sites, sites with mixed reputation) - display warning page requiring user confirmation, Allow with logging (work-related sites) - permit access but log for security monitoring. Configure granular policies by user group: executives/marketing may need social media access, developers need GitHub/Stack Overflow, finance needs banking sites. Start restrictive and relax based on legitimate business requests.
Implement HTTPS Inspection for Encrypted Traffic
Modern web traffic is 90%+ HTTPS encrypted, invisible to basic filters. Implement SSL/TLS inspection: install enterprise CA certificate on all corporate devices, configure web filter/proxy to decrypt HTTPS traffic using man-in-the-middle technique, inspect decrypted content for threats and policy violations, re-encrypt before forwarding to destination. Handle certificate pinning exceptions (some banking/healthcare sites will break), communicate to users that corporate traffic is inspected, and document privacy considerations. Some organizations exempt certain categories (healthcare portals, financial sites) from decryption for privacy/compliance reasons.
Block Risky File Types and Enable Malware Scanning
Configure filters to block downloads of high-risk file types: executable files from untrusted sources (.exe, .bat, .scr, .com, .pif), script files (.vbs, .js, .ps1), compressed files containing executables, and browser extensions from non-approved stores. Enable real-time malware scanning: all downloaded files are scanned by antivirus before delivery to user, sandboxing for suspicious files (execute in isolated environment to observe behavior), and quarantine/block malicious files. Provide secure alternative for legitimate software downloads (approved software repository, IT-managed installations).
Log Web Access and Monitor for Security Incidents
Retain web filtering logs per CERT-In requirements (180 days minimum): user identity, timestamp, requested URL, category, action (allowed/blocked), file downloads, and block reasons. Use logs for: security incident investigation (identify malware infection source, trace phishing victim), insider threat detection (employees visiting competitor sites, job search sites before resignation), policy violation monitoring (excessive personal browsing during work hours), and compliance reporting. Integrate web filter logs with SIEM for correlation with other security events. Alert on: multiple blocks of malicious sites by single user (potential infection), access to data leak sites (pastebin, file sharing), anomalous browsing patterns.
Establish Exception Request Process and Regular Policy Review
Create workflow for legitimate exceptions: user requests access to blocked site with business justification, manager approves, IT security reviews for security risk, temporary or permanent exception granted if appropriate, and log exception with expiration date if temporary. Regularly review filtering effectiveness: analyze most-blocked categories (are policies too restrictive?), review exception requests (common pattern suggesting policy adjustment needed), update threat feeds and blocklists, test filtering (attempt to access known malicious sites to verify blocking), and audit bypass attempts (users installing VPN, proxy, or DNS changes to circumvent filters).
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.8.23:
Documentation
- Acceptable Use Policy defining permitted and prohibited web usage
- Web Filtering Policy documenting categories blocked and enforcement approach
- Web filter configuration showing active rules and threat feed subscriptions
- Exception approval records with business justifications
- Log retention policy meeting CERT-In 180-day requirement
Interviews
- IT Security team about web filtering technology and threat intelligence sources
- Network administrators about HTTPS inspection implementation and certificate management
- Help desk about user exception requests and common blocking issues
Observations
- Demonstration of web filter blocking known malicious site
- Review of web filtering logs showing user activity and blocks
- Verification that filtering applies to remote workers
- Testing file download blocking for risky file types
Practitioner Insights
A pattern I see repeatedly in breach reviews: an employee clicks a phishing link, enters credentials, and attackers pivot through the network—and the phishing domain had been sitting on public blocklists well before the click. Basic web filtering would have stopped it at the first request. Do not assume user training is sufficient defense against phishing; layer in technical controls that block known threats automatically.
Many organizations deploy web filtering but exempt HTTPS traffic from inspection because implementing SSL interception is complex. This creates huge blind spot—attackers host malware on HTTPS sites knowing filters cannot inspect encrypted traffic. Yes, SSL inspection has privacy and technical challenges (certificate pinning, user notification), but without it, your filter inspects only the small unencrypted fraction of traffic. Invest in proper SSL inspection or accept you have limited protection.
Common Challenges & Solutions
Challenge
Users complain web filtering blocks legitimate work-related sites causing productivity issues.
Solution
Implement streamlined exception process: user submits request via ticket/form with business justification, manager approval auto-forwarded to IT security, security reviews (verify site is not malicious), and exception applied within 2-4 hours for approved requests. Log all exceptions for audit. Provide self-service portal showing why site was blocked and how to request access. Review exception requests weekly to identify overly-restrictive policies that should be adjusted globally rather than case-by-case exceptions.
Challenge
Remote workers bypass web filtering using personal devices, mobile hotspots, or changing DNS settings.
Solution
Enforce filtering regardless of location/device: (1) Cloud-based web filtering with always-on agents on corporate laptops (Zscaler, Umbrella), (2) Always-on VPN required for accessing corporate resources forcing traffic through filtered connection, (3) Endpoint protection preventing DNS changes and VPN/proxy installation, (4) Mobile Device Management (MDM) enforcing filtering on company-issued phones/tablets, (5) Network Access Control (NAC) blocking unmanaged devices from accessing corporate network. Accept you cannot control personal devices—require work only on managed devices.
Challenge
SSL inspection breaks certain websites and applications (banking, healthcare, software updates).
Solution
Maintain SSL inspection bypass list for problematic destinations: banking sites with certificate pinning, healthcare portals with strict security, software update servers (Apple, Microsoft, antivirus vendors), government sites requiring end-to-end encryption. Bypass only specific domains (not entire categories). Use HSTS preload lists to identify sites requiring bypass. For highly sensitive connections, accept that you cannot inspect—rely on endpoint protection and user training for those sites. Document privacy justification for bypassing medical/financial sites.
Challenge
Web filtering adds latency making internet browsing slow and frustrating users.
Solution
Optimize filtering performance: use cloud-based web filtering with points of presence near your users (lower latency than backhauling traffic to central datacenter), implement split-tunneling for non-sensitive traffic (direct internet access for streaming/personal sites while routing corporate traffic through filter), cache allowed destinations (whitelist frequently-accessed work sites to skip inspection), and use DNS filtering for minimal latency (blocks at DNS resolution before connection established). Measure actual latency impact—often perceived slowness is due to blocking previously-instant access to unproductive sites.
Challenge
How do we filter web access for guest WiFi users without blocking their legitimate needs?
Solution
Separate guest and corporate network filtering policies: Guest network has minimal filtering (block only malware/phishing, allow social media, streaming), isolate guest network from corporate resources (no access to internal servers, printers, file shares), throttle bandwidth to prevent abuse, and capture basic logs for security incidents (timestamp, MAC address, destination). Alternatively, do not provide guest WiFi—require guests use cellular data. If you must provide guest access, accept higher risk and compensate with network segmentation ensuring guests cannot reach corporate systems.
