ISO27001 Information Security Standard

ISO 27001, also known as IEC 27001 is an information security standard and is published by the International Organization for Standardization and the International Electrotechnical Commission.

Most organizations have some information security controls, but these may not be sufficiently comprehensive in their coverage. An information security management system (ISMS) can remedy this situation.

It specifies a management system and gives specific requirements. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit.

ISO 27001 requires that management:

Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts
Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable
Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis

The ISO 27001 certification, like other ISO management system certifications, usually involves a three-stage external audit process.

Stage 1 is a preliminary, informal review of the ISMS, for example checking the existence and completeness of key documentation such as the organization’s information security policy, Statement of Applicability and Risk Treatment Plan. This stage serves to familiarize the auditors with the organization and vice versa.

Stage 2 is a more detailed and formal compliance audit, independently testing the ISMS against the requirements specified in ISO/ 27001. The auditors will seek evidence to confirm that the management system has been properly designed and implemented, and is in fact in operation (for example by confirming that a security committee or similar management body meets regularly to oversee the ISMS). Certification audits are usually conducted by ISO 27001 Lead Auditors. Passing this stage results in the ISMS being certified compliant with ISO/ 27001.

Stage 3 is Ongoing and involves follow-up reviews or audits to confirm that the organization remains in compliance with the standard. Certification maintenance requires periodic re-assessment audits to confirm that the ISMS continues to operate as specified and intended. These should happen at least annually but (by agreement with management) are often conducted more frequently, particularly while the ISMS is still maturing.

For detailed information on ISO 27001 refer to https://www.itgovernance.co.uk/iso27001

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

March 28, 2022

The BT Support Internet Scam

This is a latest version of the support call scam.

The Fightback Ninja received a call from ‘Agnes’ at BT support.

She told me they have found that my Internet connection is not working properly and that my IP address shows up as being in California. So they suspect someone has illegally gained access to my Internet connection and that is bad.

Once they have checked they will be able to help me to block this problem.

I just agreed with her as she listed each step, knowing this to be a stupid scam but interested in the process the scammers go through to steal from people.

There were a lot of people talking in her background and I complained that I could hardly hear over the noise. She told me I could hear perfectly well. ‘Agnes’ is a bossy scammer.

Agnes then asked me to check my IP address and said she could explain how to do that.

I checked online and my IP address of course shows my real location, not California as ‘Agnes’ claimed.

Agnes was now getting angry when I told her I could see on screen that the IP address was showing its location correctly. And she accused me of telling stories.

I told her I wasn’t a lying cheating scammer like her.

Then she put the phone down as it was obvious I wasn’t going to be scammed.

These horrible people will take money from anyone – do not believe cold callers unless you can prove who they are and what they say. Anyone cold calling your home about your Internet connection is almost certainly a scammer.

Note: If you want to know the IP address for your device there are various ways to check depending on what device you’re using but a simple website such as https://www.iplocation.net/ will tell you your current IP address and also give you the apparent location of that IP address.

The apparent location will likely show the nearest town but sometimes may show the location of your Internet Service Provider instead so don’t be concerned if that’s the case.

The apparent IP location is generally unimportant – it’s mostly just for the curious.

If you have any experiences with scammers, spammers or time-waster do let me know, by email.

March 27, 2022

Stupidest Scam or Spam of the Week Effortless Weight Loss

Lots of scammers target people wanting to lose weight as obesity is such a common problem in advanced countries and the standard method of restricting calories and/or exercising more can be difficult and perhaps unpleasant for many.

The email shows a cartoon of a woman eating a giant cup cake and has the slogan ”Stuff Your Face. Lose Weight”.

Perhaps that’s the Holy Grail for many aspiring to lose weight but of course it isn’t possible and would be very unhealthy if it was.

Your body needs nutritious food especially if you are restricting the calories, so using that calorie allowance on junk food would cause a range of health problems.

The scammer doesn’t worry about such things as she has no weight loss method – except for reducing the size of your wallet or purse. The pages of fake email end up with a video that you must watch and she exhorts you to watch till the end and you will immediately be dropping pounds afterwards.

No – it’s all just lies.

The scammer claims to be at least 5 years ahead of weight loss science. Nope – but perhaps destined for 5 years in prison when caught.

Do click on the Facebook or Twitter icons on top right to follow Fight Back Ninja.

March 26, 2022

Time-Wasters Update

Peggy Chan’s email says she has a lucrative deal to share with me 50:50 but then I’ve never heard of Peggy Chan and her email address is actually wu872.kai@ so she doesn’t seem to know her own name. Just a pathetic scam looking for idiots to reply.

Yet another 419 scam email arrives. Claims to be from a Robert Justin (senior bank officer) but is from a personal Gmail address tuli.jake and he has $10,500,000 for me payable by the Republic of Uganda. I just need to send him (to a different personal email address) a lot of personal information – full name, contact details, birth date, occupation, address etc. and the money will be released. Pathetic lies as usual.

Another health scam involves the scammer promising to tell you how to do a 5 second check that will identify if your thyroid gland is keeping you fat. Doctors do recommend a visual check on the thyroid gland which is in the neck but only a blood test checking hormone levels will tell you if your thyroid is working correctly. So, the supposed 5 second test is just fake.

The offer of a free Tesla series 3 car in a prize daw is back again this year. There is no such prize draw and the scammer still hasn’t learnt how to send out mail merges. The email says Hi {{firstname}} which is supposed to contain the recipients first name and it contains a list of supposed winners but that also contains entries such as {{FirstName}} {Surname}}. Scammers can get away with such dumb messages when they are looking for replies only from the dumbest people.

An email claiming to be from Nat West bank warns me there has been unusual activity on my account, so it has been temporarily suspended. I need to verify my account to remove the suspension and that must be done today or I forfeit the account. The email is from update5615222llpi0nmytza3421561 @notification.com so obviously from a scammer, plus he doesn’t know my name plus I don’t actually have any accounts at the Nat West.

March 25, 2022

Surrey Scammer Caught

Thomas Proudfoot 21, of Leatherhead in Surrey pleaded guilty to computer misuse, money laundering and several counts of fraud following an investigation by the Dedicated Card and Payment Crime Unit (DCPCU), a specialist police unit funded by the banking and finance industry.

He was sentenced to 4 years and 8 months in prison and also received a Criminal Behaviour Order to prevent further fraud offences.

Proudfoot had been conducting scams based around Covid business grants.

He would send out scam text messages that offered victims Covid-19 grants and asked them to click a link to a fake website.

The website asked for the victim’s personal and financial details which he could then use to steal from them.

Proudfoot also designed software which he sold as a service to other fraudsters, the court heard.

He also admitted to hacking a private business website and providing other individuals with software to help them commit fraud offences.

The Police found that he was selling methods to complete smishing and phishing fraud, including possessing copies of fake web pages relating to Covid-19 and other organisations.

Detective Sergeant Ben Hobbs at the DCPCU, said: “This sentencing is a warning to those who believe they can benefit financially from fraud that they will be caught and punished. The DCPCU will continue to clamp down on the criminal gangs seeking to use the pandemic to defraud people.

Good riddance, at least for a while, to a thief targeting vulnerable people during the pandemic.

If you have any experiences with these scams do let me know, by email.

March 24, 2022

Scams on Relief for Ukraine

The crisis in Ukraine as the people try to survive the Russian war machine brings out the best in many people around the world – doing what they can to help the refugees – buying goods to send to the border, making donations, emailing Russians to tell them the truth, boycotting all Russian made goods and so on.

But there are some lowlife scumbags who want to take advantage of that goodwill to steal for themselves.

These sub humans set up fake charities, send out emails saying that purchases of cyber currency will aid the Ukrainians in the war, offering to buy goods to send out there but all the while just keeping the money for themselves.

Watch out for unsolicited emails telling you to buy cybercurrency to become a “friend to Ukraine”, charities that have only just been set up and anything on social media that cannot be separately verified.

If people in your neighbourhood are working to help the Ukrainian refuges and need help then go along and see for yourself what they are doing and make sure it is legitimate.

It is true that the Ukrainian government are claimed to have more than $54 million from Bitcoin donations, but it’s very difficult to be sure than cyber currency donations actually get to where they claim.

To stay safe and not give money to criminals:

Donate to well established national charities e,g, the Red Cross, Unicef, Christian Aid or DEC Ukraine
Be wary of crowdfunding and social media fundraising appeals: Some are fake and some are well meaning but mismanaged.
Do not respond to cold calls asking for help for Ukraine – these are almost guaranteed to be scammers.
Beware brand new charities – a legitimate charity will not pressure you to make a donation immediately.

If you have any experiences with these scams do let me know, by email.