How Penetration Testing can assist your ISO 27001 project
ISO 27001 is one of the best-known management standards in the world becoming a common feature on many new supplier forms. Implementing ISO 27001 allows organisations to confidently say they have an Information Security Management System (ISMS) made up of a series of processes, documents, technology and people which is aligned to industry best practice.
The core element of any ISO 27001 compliant ISMS is a risk assessment tailored to the organisation. This is why there is often a strong link between implementing an ISO 27001 compliant ISMS and penetration testing.
How can Penetration Testing help?
To successfully implement an ISO 27001 compliant ISMS an organisation needs to take into account and satisfy the controls set out by the standard, some of these controls can be satisfied by carrying out a Penetration Test.
Meet Control A.12.6.1 - Management of technical vulnerabilities
Annex A.12.6 of ISO 27001 is aimed at technical vulnerability management, the objective here is to prevent the exploitation of technical vulnerabilities.
Control A.12.6.1 of this Annex states that your organisation must gather all information about technical vulnerabilities present in your infrastructure in a timely manner. The risk posed by these vulnerabilities needs to be thoroughly evaluated and appropriate measures put in place to address the associated risks.
In some cases, an automated vulnerability scan can meet the requirements of control A.12.6.1. Nevertheless, it is recommended organisations carry out a Penetration Test. Penetration testing offers an in-depth analysis of security controls as well as an easy to read detailed report on all vulnerabilities and the level of risk they pose to your organisation.
Meet Control A.18.2.3 - Technical Compliance Review
Control A.18.2.3 is often the first time an organisation has to implement a plan for regular penetration tests. This control states that information systems should be regularly reviewed to ensure compliance with your organisations ISMS is being maintained. It is encouraged that adequate levels of compliance testing dependent on your organisation’s requirements are being met.
If you also take Control A.18.2.1 into consideration, which states the need for a regular independent review of your infrastructure, when implementing a testing plan then it is fair to assume having a third-party organisation carry out an independent security review is the most effective way to meet these requirements.
If you are currently implementing ISO 27001 or preparing for an upcoming certification audit and want to ensure your security controls and procedures are sufficient, please reach out.
Our team is happy to discuss the benefits of penetration testing with regards to your ISO 27001 project, or any other project for that matter. You can contact us on firstname.lastname@example.org or over the phone on 00353 (0) 1 517 6200
All of Secora Consulting's assessments are tailored to our client's needs.
Using our experience, we can help you determine which services are right for you.
We have arranged our services into four groups based on the objective of the tests.