According to ISO/IEC 27001:2013 , organisations are supposed to consider all the information security controls outlined in Annex A, confirming that they have done so by preparing a S tatement o f A pplicability "that contains the necessary controls .... and justification for inclusions, [states] whether they are implemented or not, and [gives] the justification for exclusions of controls from Annex A". That ineptly-worded requirement in a poorly-constructed and in fact self-contradictory clause of the standard is generally interpreted, in practice, in the form of an SoA table with a row for every Annex A control* and columns for applicability, justifications and implementation status of each control*. Three exclusive states are generally used.  Each control* is one of: Applicable and implemented; Applicable but not implemented; or Not applicable. ... implying a simple decision tree with just two binary questions:   First, is the control* applicable (yes or no)? If the con...

The Interweb drums have been beating out news of an upsurge in phishing attacks over the past month or so. I’ve certainly had more than the normal number of things along these lines lately:     As usual, these are relatively crude and (for most reasonably alert people) easy to spot thanks to the obvious spelling and grammatical errors, often using spurious technobabble and urgency as well as the fake branding and sender email address in an attempt to trick victims.   The ‘blocked emails’ and ‘storage limit’ memes are popular in my spam box right now, suggesting that these are basic phishing-as-a-service or phishing-kit products being used by idiots to lure, hook, land and gut other idiots.   They are, however, using my first name in place of “Dear subscriber” or “Hello, how are you doing?” that we used to see, implying the use of mailmerge-type content customisation with databases of email addresses and other info on potential victims*. Moving up the scale, some curr...