ISO 27001 Penetration Testing
IT Governance has a proven history of providing best-practice vulnerability scanning and penetration testing services, and we are also a CREST member company.
Below is a brief introduction to penetration testing, an explanation of how it relates to ISO 27001, and an overview of IT Governance’s products and services that can help you identify and resolve shortcomings in your information security, allowing you to achieve ISO 27001 certification and maintain compliance.
Speak to an expert
ISO 27001 and ISO 27002 2022 updates
ISO/IEC 27001:2022 – the newest version of ISO 27001 – was published in October 2022.
Organisations that are certified to ISO/IEC 27001:2013 have a three-year transition period to make the necessary changes to their ISMS (information security management system).
For more information about ISO 27001:2022 and its companion standard, ISO 27002:2022, and what they mean for your organisation, please visit ISO 27001 and ISO 27002: 2022 updates
Download your copy of ISO 27001:2022 here
Download your copy of ISO 27002:2022 here
What is penetration testing?
Regardless of size, sector or location, every organisation is at risk of cyber attack. Penetration testing helps you stay on top of such risks by simulating malicious attacks against your systems to determine the adequacy of your security and its effectiveness to withstand actual threats. The resultant findings provided by a certificated ethical hacker provide you with a reliable basis from which to improve your security controls.
Click here to view our penetration packages »
Why should you conduct a penetration test?
In light of ISO 27001’s continual improvement requirement, penetration testing provides an effective method for regular review and maintenance. When this is considered in conjunction with the control objective in A12.6 (technical vulnerability management), which requires technical vulnerabilities to be identified and addressed in a timely fashion, penetration testing becomes an essential component of your ISMS (information security management system).
You should carry out a penetration test after you have established all information assets within scope of your ISMS. Attacks are typically automated and indiscriminate – targeting vulnerabilities in hardware and software (such as unpatched software, inadequate passwords, insecure applications, etc.) in order to mount the attack. Conducting a penetration test allows you to identify these vulnerabilities along with the threats that might exploit them. This information can then be used to inform your risk assessment and determine a suitable mitigating action for the identified weaknesses in your ISMS.
How does penetration testing fit into my ISO 27001 project?
While you are entitled to conduct a penetration test at any time, there are three specific points in your ISMS project where it makes a material difference. These are:
- As part of the risk assessment process - identifies vulnerabilities in Internet-facing IP addresses and applications, as well as in your internal devices and applications, linking them to identifiable threats.
- As part of the risk treatment plan - ensures that the implemented security controls actually function as intended.
- As part of the ongoing continual improvement process – ensures that the implemented security controls continue to function as intended, and that new threats and vulnerabilities are identified and mitigated.
How does IT Governance penetration testing actually work?
We first agree the scope of work with you before determining detailed testing plans, taking into consideration your security objectives along with your business, regulatory and contractual requirements.
Our expert testing team can perform the following tests:
- External – testing your Internet-facing IP addresses, web applications and other similar services.
- Internal – testing your devices (including your wireless devices) on-site that comprise your network and the different applications and operating systems running on it.
The exact penetration test will be agreed in advance. After conducting the test, we will provide you a detailed, written report that clearly outlines our findings, along with an assessment of each vulnerability’s severity and our recommendations for appropriate mitigation.
Speak to an expert
Please contact our team for advice and guidance on our ISO 27001 and Pentration Testing products and services.