Template content about spam e-mail
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
First it is important to note that you must consider the results of risk assessment to decide if this rule is needed or not in you policy.
Considering that, this requirement is included in the IT Security Policy exactly to treat this “once in a while” situation for spam e-mail, which can be used as a metric to evaluate the performance of your spam filter or as a trigger to an abnormal situation.
For example, in a situation where you start receiving a significant number of user reports about spam e-mail in a short period of time, this may mean that something is wrong with the filter, or that a DOS attack may be in progress.
Thanks, however based on experience in a corporate environment, there are better monitors for filter and DOS, and users reporting spam create unnecessary work for limited resources. Reporting spam is a DOS on the support organization. From a risk based approach, I cannot see where spam would outweigh (spear)phishing.
If the results of your risk assessment support the decision about treating (spear)phishing instead of email spam you can edit the document accordingly. The template is fully editable and the standard does not prescribe the details about controls Implementation.
Comment as guest or Sign in
Sep 13, 2019