Penetration testing and ISO 27001

There is a strong link between an ISMS implementation project and penetration testing, and the more you know about how penetration testing can benefit your ISMS implementation, the more successful your project can be.

An ISMS covers three main aspects of your organisation: people, processes and technology. Of these, technology requires particular attention because technical vulnerabilities affecting your information technology assets can be exploited by external attackers. These vulnerabilities – such as unpatched software, inadequate password and access control, and insecure applications – can put your entire ISMS project at risk of failure or increase the time and money spent on the project.

How penetration testing helps

Penetration testing is essential to ISMS success, and it’s most useful at three distinct stages in the project:

  1. Risk assessment
    Penetration testers use manual tests and automated scans to analyse the assets within the scope of your ISMS and identify their vulnerabilities. The test report will provide you with detailed information about these vulnerabilities together with guidance about how to remediate them. The report’s findings can then provide input for your risk assessment.
  2. Risk treatment plan
    The remedial actions suggested by penetration testers can help inform your selection of controls to manage and reduce risks.
  3. Continual improvement
    Periodic penetration tests will ensure that all controls continue to work as required and will also identify new vulnerabilities.

Download the green paper “Penetration Testing and ISO 27001 to discover in more detail how penetration testing fits into your ISMS project.

Leave a Reply

Your email address will not be published. Required fields are marked *