Penetration testing involves a simulated malicious attack against an organisation’s defences. The results provide an insight into the way an attacker might exploit and leverage weaknesses, which in turn helps the organisation understand which areas it needs to improve.
Unlike aspects of information security, penetration testing provides a practical, rather than theoretical, assessment of an organisation’s defences.
As such, it’s an essential requirement for all organisations – and this is particularly true if they intend to develop an ISO 27001 compliant ISMS (information security management system).
Control objective A12.6 of the Standard states:
[I]nformation about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.
But what sort of information should a penetration tester be looking for? In this blog, we look at the risks it will help you identify and the way testing fits within your ISO 27001 compliance project.
What is the purpose of penetration testing?
Penetration tests often look for exploits that can be leveraged by unpatched software, poorly coded websites, insecure applications and poor employee habits such as creating weak passwords.
Identifying the nature and severity of these weaknesses enables you to make a more accurate calculations when creating your risk assessment.
You will not only gain a clearer picture of the specific risks you face but will also gather information on the likelihood that they’ll occur and the damage they cause.
This also helps for the creation of a risk treatment plan. The information produced during the risk assessment will inform the risk score and therefore which security controls should be selected.
Penetration testing is also helpful as part of the ongoing continual improvement process. By repeating the test after controls have been implemented, you can determine whether they work as intended and spot any new vulnerabilities that appear.
Looking for more information?
You can find out more about this topic by reading Penetration Testing and ISO 27001 – Securing your ISMS.
This free green takes in in-depth look at the ways in which a penetration tester can help protect your organisation.
We explain how testing helps detect incidents, determine your response effort and inform your continual improvement process.