In working with my current company through their ISO27001 audit, I wanted to ask if antivirus software was a requirement for companies seeking ISO27001 certified? We are currently operating almost entirely out of the cloud on mac devices, so we wanted to ask if we had to get one before the audit.
Antivirus, like other antimalware solutions, is a requirement only if you have relevant risks or legal requirements (i.e., laws, regulations, or contracts) that demand its implementation. In case you have no risks or legal requirements demanding the implementation of antivirus, you do not need to implement it to be compliant with ISO 27001.
This article will provide you with further explanation about the selection of controls: