ISO 27001 Penetration Testing

IT Governance is a CREST member company with a distinguished history of providing best-practice vulnerability scanning and penetration testing services.

ISO 27001 and ISO 27002 2022 updates

ISO/IEC 27001:2022 – the newest version of ISO 27001 – was published in October 2022.

Organisations that are certified to ISO/IEC 27001:2013 have a three-year transition period to make the necessary changes to their ISMS (information security management system).

For more information about ISO 27001:2022 and its companion standard, ISO 27002:2022, and what they mean for your organisation, please visit ISO 27001 and ISO 27002: 2022 updates

Download your copy of ISO 27001:2022 here

Download your copy of ISO 27002:2022 here

Why is penetration testing important for ISO 27001 compliance?

Effective penetration testing involves the simulation of a malicious attack against the security measures under test, often using a combination of methods and tools, and is conducted by a certificated, ethical professional tester. The resultant findings provide a basis upon which security measures can be improved.

Penetration testing is an essential component of any ISO 27001 Information Security Management System (ISMS), from initial development through to ongoing maintenance and continual improvement.

ISO 27001 control objective A12.6 (Technical Vulnerability Management) states that ’information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk’.

Address your vulnerabilities before attackers do

Need advice about penetration testing and what kind of test you need? Get in touch with one of our penetration testing experts today.

Contact us

Why should you conduct a penetration test?

The nature of information technology assets means they may have many technical vulnerabilities that could be exploited by external attacks. Automated and indiscriminate attacks target identifiable vulnerabilities in hardware and software irrespective of the organisation that has them. These vulnerabilities include un-patched software, inadequate passwords, poorly coded websites and insecure applications.

The logical point at which you should carry out a penetration test is once you have identified the assets that are to be included in the scope of your ISMS. The penetration test results will identify vulnerabilities in detail, together with the threat that can exploit them, and will usually also identify appropriate remedial action. The identified threats and vulnerabilities will then form a key input to your risk assessment, while the identified remedial action will inform your selection of controls.

How does penetration testing fit into my ISO 27001 project?

There are specific points in your ISMS project at which penetration testing has a significant contribution to make:

  • As part of the risk assessment process: uncovering vulnerabilities in any Internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats.
  • As part of the risk treatment plan, ensuring that controls which are implemented actually work as designed.
  • As part of the ongoing continual improvement processes, ensuring that controls continue to work as required and that new and emerging threats and vulnerabilities are identified and dealt with.

Free PDF download: Penetration Testing and ISO 27001 – Securing your ISMS

Download this informative guide to discover, the importance of penetration testing to ISO 27001 risk assessments, how penetration testing can demonstrate compliance with half the controls in Annex A and how penetration testing can be used for the continual improvement of your ISMS.

Download now

How does IT Governance penetration testing actually work?

Once we have agreed a scope of work with you, we will agree detailed testing plans, taking into account your security objectives, and your business, regulatory and contractual requirements.

Our professional testing team will then execute the agreed tests:

  • External tests, focusing on internet-facing IP addresses, web applications and other such services.
  • On-site tests, focusing on the devices – including wireless devices – that make up your network, and the various applications and operating systems that run on them.

Once we have completed our tests, we will produce a detailed and documented report that clearly sets out what we have found together with an assessment of its severity, and our recommendations for appropriate remediation.

Discover our full range of penetration testing services today

SAVE 25%