In order to comply with control A.8.23 Web filtering you might implement the following:
- Technology — the technology to enable web filtering would mainly be based on software (e.g., anti-malware software) that blocks access to particular IP addresses, but also can be a single list of forbidden websites and asking users not to visit them. Small companies may use lists and software solutions deployed on endpoint devices, while bigger companies may use specialized software that centralizes monitoring and analysis of network traffic.
- Organization/processes — you should set up a process for determining which types of websites are not allowed, and how the web filtering tools are maintained. You can document those processes through Security Procedures for IT Department or Web Filtering Policy.
- People — make employees aware of the risks of using the Internet and where to find guidelines for safe use, and train IT staff on how to perform web filtering.