PR.AT-1 / DE.CM-4 / RS.CO-2 / NIST 800-53 SI-8 / ISO 27001:2022 A.6.7 NIST Cybersecurity Framework v1.1

How does your organisation defend against phishing — the most common ransomware entry point?

Demonstrate that the organization maintains effective technical and human controls to prevent phishing emails from reaching users, detect those that do, and respond appropriately when users encounter or report them.

Description

What this control does

This control evaluates the organization's multi-layered defense against phishing attacks, which serve as the initial access vector in over 70% of ransomware incidents. Effective phishing defense combines technical controls (email filtering, link analysis, attachment sandboxing, DMARC/SPF/DKIM enforcement), user awareness training with simulated phishing campaigns, and incident response procedures for reported suspicious messages. The control ensures that both automated systems and human judgment work together to detect, block, and respond to phishing attempts before credentials are compromised or malware is executed.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Credential theft via phishing pages leading to initial access and lateral movement within the network
Malicious attachment execution delivering ransomware, remote access trojans, or information stealers
Business email compromise resulting in fraudulent wire transfers or data exfiltration
Domain spoofing due to missing or misconfigured email authentication protocols (SPF, DKIM, DMARC)
Undetected phishing campaigns persisting for extended periods due to lack of email security monitoring
Users lacking ability to recognize or report phishing attempts due to insufficient training
Delayed incident response to reported phishing emails allowing attacker persistence or propagation

Testing procedure

How an auditor verifies this control

Obtain and review the organization's anti-phishing policy including technical controls, training requirements, and reporting procedures
Export email security gateway configuration showing enabled protections: attachment scanning, URL rewriting, sandboxing, impersonation detection, and threat intelligence feeds
Query DNS records for all organizational email domains to verify SPF, DKIM, and DMARC records with enforcement policies (quarantine or reject)
Review security awareness training records for the past 12 months including phishing-specific content, completion rates by department, and assessment scores
Examine simulated phishing campaign results from the past year including click rates, credential submission rates, reporting rates, and trend analysis over time
Select a sample of 10-15 user-reported phishing emails from the past quarter and trace response actions taken (analysis, remediation, user notification)
Review email security logs for the past 30 days to identify blocked phishing attempts, quarantined messages, and detection rates by protection layer
Interview IT security and helpdesk personnel to validate phishing reporting workflow and verify users have accessible reporting mechanisms (button, email alias, portal)

Evidence required Email gateway configuration exports showing enabled anti-phishing modules and detection thresholds; DNS query results for SPF/DKIM/DMARC records with policy settings; security awareness training completion reports and simulated phishing campaign metrics (click rate, reporting rate, trends); sample of phishing incident tickets with timestamps and response actions; email security logs showing blocked/quarantined messages with detection reasoning; screenshots of user-facing phishing reporting tools.

Pass criteria The organization operates multi-layered email security controls with DMARC enforcement at minimum 'quarantine', conducts phishing awareness training annually with simulated campaigns showing declining click rates or improving reporting rates, and maintains documented procedures with evidence of timely response to user-reported phishing incidents.