Skip to main content
Phishing Scams in ISO 27001

Phishing Scams in ISO 27001

$349.00
Who trusts this:
Trusted by professionals in 160+ countries
Your guarantee:
30-day money-back guarantee — no questions asked
When you get access:
Course access is prepared after purchase and delivered via email
How you learn:
Self-paced • Lifetime updates
Toolkit Included:
Includes a practical, ready-to-use toolkit containing implementation templates, worksheets, checklists, and decision-support materials used to accelerate real-world application and reduce setup time.
Adding to cart… The item has been added

This curriculum spans the design and operation of phishing controls across an organization’s risk, technical, and governance layers, comparable in scope to a multi-workshop program that integrates security policy, incident response planning, and compliance alignment within an ISO 27001 framework.

Module 1: Aligning Phishing Risk with ISO 27001 Risk Assessment Methodology

  • Selecting asset valuation criteria that reflect the sensitivity of user credentials and access privileges in risk scoring.
  • Determining whether phishing threats are evaluated under human-related vulnerabilities or as part of communication channel risks.
  • Integrating threat intelligence on phishing campaigns into the organization’s risk assessment register.
  • Deciding on the use of qualitative versus quantitative methods when assessing likelihood of successful phishing attacks.
  • Assigning ownership of phishing-related risks to business units versus central IT security teams.
  • Mapping phishing risks to specific clauses in Annex A, such as A.6.1.2 (Mobile Device Policy) or A.8.2.1 (Information Classification).
  • Documenting risk treatment decisions for phishing-related findings in the Statement of Applicability.
  • Updating risk assessment frequency based on observed phishing incident trends or changes in threat landscape.

Module 2: Defining Roles and Responsibilities in Phishing Governance

  • Establishing whether the CISO, HR, or internal communications leads phishing awareness initiatives.
  • Assigning accountability for phishing incident response between SOC, helpdesk, and identity management teams.
  • Defining escalation paths when phishing attempts target executive-level accounts.
  • Requiring department heads to validate employee completion of phishing training before access provisioning.
  • Specifying which team maintains the phishing simulation schedule and metrics reporting.
  • Determining if third-party vendors with system access must comply with internal phishing training requirements.
  • Requiring legal and compliance sign-off on simulated phishing email content to avoid privacy violations.
  • Setting expectations for managers to address repeated phishing click-throughs during performance reviews.

Module 3: Integrating Phishing Controls into ISMS Documentation

  • Authoring an Acceptable Use Policy that explicitly prohibits forwarding corporate credentials via email.
  • Documenting email filtering rules and quarantine procedures in operational security procedures.
  • Incorporating phishing response steps into incident management playbooks aligned with A.16.1.5.
  • Updating onboarding checklists to include phishing awareness training completion as a prerequisite.
  • Specifying retention periods for logs of phishing simulations and employee click data.
  • Linking password reset procedures to suspected phishing events in identity management documentation.
  • Requiring change management approval before modifying spam filter sensitivity thresholds.
  • Ensuring that remote work policies reference risks associated with personal device usage in phishing scenarios.

Module 4: Designing and Operating Technical Email Defenses

  • Configuring DMARC policies to reject emails that fail SPF and DKIM checks from spoofed domains.
  • Setting quarantine thresholds for suspicious attachments based on file type and sender reputation.
  • Implementing URL rewriting to enable real-time link scanning during email delivery.
  • Deciding whether to block all executable attachments or allow exceptions for specific departments.
  • Integrating threat feeds from external providers into email gateway rule updates.
  • Configuring mailbox rules to flag external emails that mimic internal sender addresses.
  • Enabling forensic logging on email gateways to support post-incident analysis of phishing delivery paths.
  • Testing failover configurations for email security appliances to prevent bypass during outages.

Module 5: Measuring and Managing Phishing Awareness Programs

  • Selecting baseline metrics such as click-through rate, report-to-quarantine ratio, and time-to-report.
  • Determining simulation frequency per role group, with higher frequency for finance and HR.
  • Customizing phishing templates to reflect industry-specific lures, such as fake shipping notices or tax forms.
  • Deciding whether to publicly share department-level results or maintain individual confidentiality.
  • Triggering mandatory retraining when an employee clicks on a simulated phishing email.
  • Validating that training content reflects current TTPs used in real-world phishing campaigns.
  • Integrating phishing simulation results into internal audit findings and management review reports.
  • Assessing whether gamification improves reporting behavior without increasing false positives.

Module 6: Incident Response and Forensic Readiness for Phishing Events

  • Defining criteria for classifying a phishing email as a security incident requiring formal response.
  • Preserving email headers and original messages for forensic analysis and legal admissibility.
  • Coordinating with email providers to request takedown of phishing domains or spoofed content.
  • Validating whether compromised credentials have been used to access systems or exfiltrate data.
  • Initiating password resets or MFA re-enrollment for users who entered credentials on phishing sites.
  • Documenting root cause analysis of phishing incidents to identify control gaps.
  • Engaging external forensics teams when phishing leads to suspected lateral movement or data breach.
  • Updating threat models based on attacker infrastructure identified during phishing investigations.

Module 7: Third-Party and Supply Chain Phishing Risks

  • Requiring vendors with email access to undergo phishing awareness training equivalent to internal staff.
  • Assessing whether contractors use personal email for work-related communication, increasing exposure.
  • Monitoring for phishing attacks that impersonate key suppliers or customers to initiate fraud.
  • Requiring evidence of email security controls during vendor security assessments.
  • Establishing notification protocols when a third party reports receiving a phishing email from your domain.
  • Enforcing MFA for all external users accessing corporate systems, especially after phishing events.
  • Conducting phishing risk assessments during mergers or acquisitions involving email system integration.
  • Reviewing SLAs with email providers to ensure timely response to spoofing incidents.

Module 8: Management Review and Continuous Improvement

  • Presenting phishing simulation trends and incident data during ISMS management review meetings.
  • Adjusting risk treatment plans based on increased phishing success rates in specific departments.
  • Evaluating whether current awareness training reduces repeat clicks over a 12-month period.
  • Assessing resource allocation for phishing defenses against other ISMS priorities.
  • Reviewing audit findings related to email security control effectiveness.
  • Updating ISMS objectives to include measurable reductions in phishing susceptibility.
  • Validating that lessons learned from phishing incidents are incorporated into policy updates.
  • Reassessing the adequacy of phishing-related controls during annual internal audits.

Module 9: Legal, Regulatory, and Compliance Implications of Phishing

  • Determining breach notification obligations when phishing leads to unauthorized data access.
  • Documenting employee training completion to demonstrate due diligence in regulatory audits.
  • Ensuring phishing simulations comply with data protection laws regarding personal data processing.
  • Consulting legal counsel before taking action against domains used in phishing attacks.
  • Retaining logs and records to support potential litigation involving phishing-induced fraud.
  • Aligning phishing controls with sector-specific regulations such as GDPR, HIPAA, or PCI DSS.
  • Reporting significant phishing incidents to regulators when required by contractual or legal obligations.
  • Validating that outsourced email security providers meet contractual obligations for threat detection.

Module 10: Strategic Integration of Phishing Resilience into Business Continuity

  • Assessing the impact of widespread credential compromise on critical business processes.
  • Testing incident response plans that include mass phishing events affecting multiple departments.
  • Validating backup authentication methods when primary identity systems are targeted via phishing.
  • Ensuring crisis communication plans include messaging templates for internal phishing alerts.
  • Integrating phishing scenarios into annual business continuity and disaster recovery exercises.
  • Mapping phishing-related single points of failure in identity and access management systems.
  • Reviewing insurance policies to confirm coverage for social engineering attacks.
  • Establishing thresholds for declaring a phishing event as a business disruption requiring executive intervention.
!