ISO/IEC 27001:2022
ISO/IEC 27001:2022 specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The 2022 revision reorganised Annex A controls into four themes, with email security falling primarily under Technological Controls (A.8). Control A.8.24 (Use of cryptography) requires encryption for data in transit, while A.8.20 (Network security) and A.8.21 (Security of network services) address secure communication. Email authentication protocols support risk treatment for threats identified during the mandatory risk assessment process (Clause 6.1.2).
| Protocol | Requirement | Details |
|---|---|---|
| SPF | Recommended | SPF supports Annex A control A.8.20 (Network security) by restricting which servers can send email from your domain. ISO 27001 auditors expect organisations to implement standard email authentication as part of their ISMS, particularly where email spoofing has been identified as a risk. |
| DMARC | Recommended | DMARC aligns with A.5.7 (Threat intelligence) and A.8.20 by providing visibility into email abuse through aggregate reporting and enabling enforcement against domain spoofing. It is increasingly expected by ISO 27001 auditors as a standard control. |
| DKIM | Recommended | DKIM supports A.8.24 (Use of cryptography) by providing cryptographic message integrity for outgoing email. It helps ensure that email content has not been tampered with during transit. |
| SSL/TLS | Required | TLS is required under A.8.24 (Use of cryptography) for encrypting data in transit and A.8.21 (Security of network services) for securing network communications. ISO 27002:2022 guidance explicitly references encryption of email as an implementation example. |
| Security Headers | Recommended | Security headers support A.8.28 (Secure coding) and A.8.9 (Configuration management) by hardening web applications against common attack vectors. They are part of the secure baseline configuration expected in an ISMS. |
| DNSSEC | Optional | DNSSEC is not specifically referenced in ISO 27001 or 27002 but may be relevant as a risk treatment for DNS integrity threats depending on the organisation's risk assessment. |
During the risk assessment required by Clause 6.1.2, identify threats related to email spoofing, phishing, and man-in-the-middle attacks. Assess the likelihood and impact for your organisation, then select email authentication controls as risk treatments.
Deploy TLS 1.2 or higher on all mail servers and web endpoints. This satisfies Annex A control A.8.24 (Use of cryptography). Document the cryptographic policy including approved algorithms and minimum key lengths.
Implement email authentication protocols and document them in your Statement of Applicability (SoA) as treatments for email-related risks. Map each protocol to the relevant Annex A controls (A.8.20, A.8.24).
Deploy HSTS, CSP, X-Frame-Options, and other security headers as part of your secure configuration baseline under A.8.9 (Configuration management). Document the standard header configuration in your ISMS.
For each relevant Annex A control, document the email security measures implemented, their justification, and how they address identified risks. The SoA must reference A.8.20, A.8.21, A.8.24, and any other applicable controls.
Set up domain monitoring to track email authentication effectiveness over time. Use scan reports as input to management reviews (Clause 9.3) and continual improvement (Clause 10). Demonstrate that controls remain effective between certification audits.
Use Domain Security Scanner reports as evidence for your ISO 27001 audit. Pro and Agency plans include PDF export for compliance documentation.
Run a free scan to see how your domain's email authentication measures up against ISO 27001 requirements.
ISO 27001 does not mandate specific technologies. Instead, it requires organisations to conduct a risk assessment and implement "appropriate" controls. However, Annex A control A.8.20 (Network security) and A.5.7 (Threat intelligence) support the case for DMARC. Certification auditors increasingly view email authentication as a baseline expectation, and its absence may be raised as an observation or nonconformity if email spoofing was identified as a risk.
The most relevant controls are: A.8.20 (Network security), A.8.21 (Security of network services), A.8.24 (Use of cryptography), A.5.7 (Threat intelligence), A.8.9 (Configuration management), and A.8.28 (Secure coding). TLS encryption maps to A.8.24, email authentication to A.8.20, security headers to A.8.9 and A.8.28, and DMARC reporting to A.5.7.
Domain security scan reports provide objective evidence for surveillance and certification audits. They demonstrate that controls identified in your risk treatment plan and Statement of Applicability are implemented and effective. Regular scan reports also support Clause 9 (performance evaluation) and Clause 10 (continual improvement) by providing measurable data on security posture over time.