Establish, implement, and maintain an anti-spam policy.

Establish/Maintain Documentation


This Control directly supports the implied Control(s):
  • Privacy protection for information and data, CC ID: 00008

This Control has the following implementation support Control(s):
  • Refrain from sending unsolicited commercial electronic messages under predetermined conditions., CC ID: 13993
  • Refrain from sending unsolicited commercial electronic messages with hyperlinks to a country with an anti-spam policy., CC ID: 00284
  • Refrain from including misleading information in the e-mail header when transmitting electronic messages., CC ID: 00285
  • Include information identifying the organization hired to send commercial electronic messages when sending commercial electronic messages through a third party., CC ID: 00286
  • Include contact information in commercial electronic messages., CC ID: 15457
  • Refrain from sending commercial electronic messages to a third party computer when the message does not contain a functioning return e-mail address that is clearly visible to the receiver., CC ID: 00287
  • Refrain from sending commercial electronic messages, physical mail, or making telephone calls after an opt out by a user., CC ID: 00288
  • Include a personal identifier, an opt-out provision, and a physical address to add the recipient to the do-not-e-mail registry in all commercial e-mails., CC ID: 00289
  • Define aggravated violations that relate to commercial electronic messages., CC ID: 00293
  • Refrain from using misleading subject lines or false subject line on unsolicited commercial electronic messages., CC ID: 00294
  • Define who enforces the anti-spam policy., CC ID: 00295
  • Establish, implement, and maintain a do-not-e-mail registry., CC ID: 00297
  • Enter individuals into the do-not-e-mail registry upon request., CC ID: 11810
  • Refrain from using address-harvesting software to send unsolicited commercial e-mails., CC ID: 00298
  • Refrain from sending unsolicited commercial electronic messages to nonexistent electronic addresses., CC ID: 00299
  • Include that commercial electronic messages may be sent to an individual in any situation where the sender has prior consent from the individual or another existing business relationship in the anti-spam policy., CC ID: 00300


  • the specified message includes such information and complies with such conditions as is or are specified in the regulations, if any; and (PART IX Division 3 Section 44 (1)(c), Singapore Personal Data Protection Act 2012 (No. 26 of 2012))
  • the specified message includes the information, and complies with the conditions, specified in the regulations, if any; and (§ 44.(c), Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021)
  • the person has obtained from a checker information that the Singapore telephone number is not listed in the relevant register (called in this section the relevant information) and has no reason to believe that, and is not reckless as to whether — (§ 43.(2)(b), Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021)
  • Member States must ensure that free, unsolicited communications for direct marketing are prohibited without consent of the subscriber or when against the wishes of the subscriber who doesn't want to receive direct marketing, the option determined by national legislation. (Art 13.3, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector)
  • Using automated calling systems without human intervention for direct marketing, sending advertising materials, conducting market surveys, or interactive business communication will be allowed only with the user's consent. This also applies to electronic communications by e-mail, facsimile, MM. or S… (§ 130.1 thru § 130.3, Italy Personal Data Protection Code)
  • The control system shall provide the capability to prevent both transmission and receipt of general purpose person-to-person messages. ( ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Good privacy management is supported by the practice of effectively managing marketing lists and third-party vendor relationships. (§ 4.5 (Privacy Best Practices), IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • Online advertisers should accurately describe their business practices with regard to their use of unsolicited e-mail to customers. (Principle III.C, BBBOnline Code of Online Business Practices)
  • Organizational records and documents should be examined to ensure spam protection software is installed on servers, workstations, mobile devices, and entry and exit points to the system; the spam protection software checks unsolicited e-mail messages; the software is automatically updated; the syste… (SI-8, SI-8(1), SI-8(2), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)