PreCommit checks risky business email against recognised control principles and company policy before someone replies, approves, pays, changes details, signs, or commits.
These sources do not endorse PreCommit. They inform the controls we are building around email before action.
PreCommit is Email Risk Assessment before action.
PreCommit is not a suspicion engine. It is a control engine.
Examples are fixtures. Controls are the source of truth.
Examples:
HSE risk assessment practice, ISO 31000, NIST SP 800-30
What it informs:
action, consequence, and control-before-action discipline
How PreCommit uses it:
PreCommit uses this family as the plain risk-assessment spine for email before action.
What we do not claim:
PreCommit does not claim approval, certification, or compliance status from these sources.
Examples:
ISO/IEC 27001, NIST Cybersecurity Framework, NIST SP 800-53
What it informs:
security governance, risk treatment, and repeatable control discipline
How PreCommit uses it:
PreCommit uses this family to shape consistent information-security and cyber-risk handling.
What we do not claim:
PreCommit does not claim ISO compliance, certification, or official endorsement.
Examples:
NIST AI RMF, ISO/IEC 42001
What it informs:
managed AI risk, governance, oversight, and controlled improvement
How PreCommit uses it:
PreCommit uses this family to govern how its AI-enabled control model should change and be reviewed.
What we do not claim:
PreCommit does not claim AI certification, approval, or formal endorsement.
Examples:
FBI BEC guidance, IC3 BEC guidance, NCSC phishing and business payment fraud guidance
What it informs:
verification, payment-diversion controls, and route-checking before consequential action
How PreCommit uses it:
PreCommit uses this family to shape payment, account-change, and impersonation controls.
What we do not claim:
PreCommit does not claim approval by FBI, IC3, or NCSC.
Examples:
NHSCFA invoice and mandate fraud guidance, local government mandate-fraud controls, known-contact verification principle
What it informs:
hard-stop controls for supplier, bank-detail, and payment-destination changes
How PreCommit uses it:
PreCommit uses this family to shape independent verification before supplier or bank-detail changes.
What we do not claim:
PreCommit does not claim official accreditation or endorsement from these bodies.
Examples:
Google Workspace and Gmail phishing guidance, Google account safety guidance, Microsoft Defender Safe Links and Safe Attachments guidance, NCSC phishing guidance
What it informs:
official-route handling, link caution, credential protection, and attachment exposure
How PreCommit uses it:
PreCommit uses this family to shape route, link, credential, and attachment controls.
What we do not claim:
PreCommit does not claim approval by Google or Microsoft.
Examples:
official routes, approved contacts, escalation owners, finance owners, legal reviewers, known informational senders
What it informs:
customer-specific refinement of public controls
How PreCommit uses it:
PreCommit uses this layer when company policy is safer or more specific than generic public guidance.
What we do not claim:
PreCommit does not assume missing company policy means an email is safe.
Experience can help PreCommit identify recurring patterns and propose refinements, but it does not silently override approved controls. New controls or refinements must be reviewed, versioned, and tested before they affect live decisions.
Company policy can add official routes, approved contacts, escalation owners, legal reviewers, finance owners, operational owners, and known informational senders. Company policy can override public controls only when it is safer or more specific.
PreCommit is not claiming certification, endorsement, or approval from any listed body. The listed sources inform the control model; they do not endorse the product.