Your ISMS is certified. Your Statement of Applicability covers the controls. Your auditor arrives and runs a DNS lookup on your domain. dig _dmarc.yourdomain.com TXT +short Enter fullscreen mode Exit fullscreen mode The output shows p=none . The auditor makes a note. This is not a hypothetical. DMARC policy enforcement has become a standard ISMS audit check since ISO 27001:2022 made Annex A.5.14 — Information Transfer an explicit Annex A control for the first time. If your organization was certified against ISO 27001:2013 and has not reviewed email security controls since the transition to the 2022 standard, there is a material gap in your Statement of Applicability — whether or not the auditor has found it yet. This guide maps every email and DNS security control to the specific Annex A clauses they satisfy, explains what auditors check and what they accept as evidence, and identifies the three findings that appear most frequently in ISMS email security reviews.…