ISMS and Social Engineering

The human element is a key driver of 82% of information and IP breaches.  This emphasizes the importance of having a strong security awareness program.

Social engineering is used for a range of malicious activities through human interactions. It uses psychological manipulation to trick users into giving away sensitive information.

Social engineering attacks happen occur in one or more steps.  The perpetrator learns about the victim to gather background information, such as points of entry and weak security protocols. The attacker moves to gain the victim’s trust and provide positive reinforcement for further actions that break security.

The types of Social Engineering are:

  • Baiting
  • Phishing
  • Spear phishing
  • Scareware
  • Pretexting


These attacks use a false promise to entice a victim’s greed or curiosity. They lure the victim into a trap to steal personal information then inflicts their systems with malware.


These scams are email and text messages aimed at creating a sense of urgency, curiosity or fear. It then moves them into revealing sensitive information, clicking on links to malicious websites, or opening attachments containing malware.

Spear phishing

This is a more targeted version of the phishing scam. The attacker chooses specific individuals. They tailor the messages based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous. Spear phishing requires much more effort on behalf of the perpetrator and may take weeks and months to pull off. They’re much harder to detect and have better success rates if done skillfully.


Scareware involves bombarding the victim with false alarms and fictitious threats. Users are deceived to think their system is infected with malware, prompting them to install software that has no real benefit or is malware itself.


The attacker starts by developing trust with the victim by impersonating co-workers, police, bank and tax officials, or other persons who have right-to-know authority. The pretexter asks questions that required to confirmation of the victim’s identity, where they gather important personal data.


Experienced ISO 27001 Consultant

Most think information security is a technology problem to solve. Often we think anything pertaining to securing information or protection from cyber attacks is only for the I.T. team. Nothing could be further from the truth.

Every member of the organization is responsibility for carrying out the Information Security policies. All employees are a part of the ISMS. If you do not train them properly, your organization is open for exploit. Every employee is a vital part of your defense. They are also a significant vulnerability.

When looking for an ISO 27001 consultant it is critical that you find one with experience.  Our main ISO 27001 consultant has experience with the U.S. Armed Forces securing classified material.

From the International Standards Organization, “ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.”

In today’s world information and information system security can be as important as cash flow.  If you loose it, you could perish.

Contact us today.