ISO 27001, published by the International Organization for Standardization, is a set of standards to govern cybersecurity (“information security management systems,” actually) within your own business and among your third parties. To be certified as ISO 27001-compliant requires a thorough analysis and testing of the systems being certified, their functionality, and capabilities.

One of the requirements of ISO 27001—specifically, control A.12.6.1 of Annex A of ISO 27001:2013—requires that an organization prevent any potential vulnerabilities from being exploited. Below, we address some of the frequently asked questions regarding ISO 27001 as it relates to penetration testing.

Does ISO 27001 require penetration testing?

For systems with standard functionality and common architectures, you may be able to fulfill this requirement with only a vulnerability assessment or analysis. For more complex systems such as custom web applications, however, penetration testing will definitely be required to ensure your security posture is where it needs to be. 

Commonly available scanning tools—even those specifically designed for web applications—may be ineffective at identifying vulnerabilities such as broken access controls, business logic abuse, impersonation attacks, or other non-standard, functionality-specific vulnerabilities. Thus, penetration testing is a must.

What is penetration testing?

Penetration testing is a critical risk management tool, alongside vulnerability scanning and security testing. “Pen testing” helps to mitigate cyber risk by simulating malicious attacks and data breaches through ethical hacking, to determine whether your incident response and data security controls are adequate, functioning properly, and able to withstand a breach.

During the pen test, security experts exploit security vulnerabilities in a simulated environment so that you can remediate them through improved security measures (typically through a combination of tools and a business continuity plan).

What are the ISO 27001 penetration testing requirements?

ISO control A.12.6.1 of Annex A of ISO 27001:2013 (a.k.a. Technical Vulnerability Management) states: “Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk.”

Penetration testing satisfies these requirements by providing a gap analysis via a simulated malicious attack. It should be conducted by certified professionals who offer penetration testing services and result in findings that can provide the basis for improvements to your existing security standards.

How does penetration testing actually work?

You will develop a scope with your pen tester that covers your security objectives, testing plans, and any regulatory or contractual requirements for your business.

Testing may include external tests to detect IP address issues, web application vulnerabilities, and more. It may also include internal testing measures that analyze your network devices, operating systems, and detection of internal vulnerabilities such as weak passwords, outdated software, poorly coded websites, and insecure applications.

Once testing is complete, post-mortem analysis can begin by reviewing documented vulnerabilities and details, assessing the severity of potential threats, considering your pen tester’s recommendations, and charting a path for remediation.

How frequently should you do ISO 27001 penetration testing?

Penetration testing is a critical element for any ISO 27001-compliant IT system, so testing should be done throughout your system’s lifecycle—from initial planning of your system to execution, and continually as part of your standard maintenance program.

Information technology assets have inherent technical vulnerabilities that need continuous monitoring and improvement because just as innovation increases, criminal innovation does too. Cybercriminals regularly find new ways to penetrate previously rock-solid security measures.

Penetration testing should occur as soon as you have pinpointed the assets that are to be included in the scope of your risk assessment and testing agreement. During post-mortem analysis, you and your testing partner should also determine an appropriate frequency for re-testing in the future.

Getting started with ISO27001 Vulnerability Management

Many of today’s tools can simplify and automate vulnerability management but may be ineffective at identifying vulnerabilities such as broken access controls, business logic abuse, impersonation attacks, or other non-standard, functionality-specific vulnerabilities.

ZenGRC works with other tools and technologies to collect and store data on your vulnerabilities and works as a penetration tester by telling you what’s needed to resolve the vulnerabilities. It tracks tasks so you always know what’s being done and by whom; shows your compliance (including for ISO certification) and risk management posture on user-friendly dashboards; allows unlimited self-audits in a few clicks, and much more.

Worry-free cybersecurity risk management is the Zen way. Contact us today for your free consultation.