ISO 27001, published by the International Organization for Standardization (ISO), is a set of standards to govern cybersecurity and information security management systems (ISMS) within your business and among your third parties. Being certified as ISO 27001-compliant requires a thorough analysis and testing of your IT systems’ functionality and capabilities.

One requirement of ISO 27001 – specifically, control A.12.6.1 of Annex A of ISO/IEC 27001:2013 – requires that an organization prevent potential vulnerabilities from being exploited; that means (among other things) running penetration tests on your network to see how well your defenses do or don’t work. Below, we address some frequently asked questions regarding ISO 27001 related to penetration testing.

What Is ISO 27001 and Why Is it Important?

ISO 27001 is formally known as ISO/IEC 27001: Information Technology, Security Techniques, Information Security Management Systems Requirements.

Published by the International Organization for Standardization (ISO), in collaboration with the International Electrotechnical Commission, ISO 27001 is a top international standard for information security (IEC). It offers a path to help enterprises of any size or sector protect their information, both methodically and affordably.

Not only does the standard give businesses the knowledge they need to protect their most precious data. A business that certifies its compliance with ISO 27001 is demonstrating to potential clients and business partners that it is committed to securing its data. (Individuals can show their qualifications to future employers by becoming ISO 27001-certified by completing a course, exam, and certification audit.)

The benefits of ISO 27001 are far-reaching. It is an international standard and widely accepted, which expands the commercial potential for businesses and individuals. You need to renew your ISO 27001 certification every three years, showing stakeholders and interested parties that you have robust management systems standards.

Does ISO 27001 Require Penetration Testing?

The short answer is both yes and no. For systems with standard functionality and common architectures, you may be able to fulfill this requirement with only a vulnerability assessment or analysis. For more complex systems such as custom web applications, however, penetration testing will be required to assure your security posture is sufficient for data protection and guarding against cyberattacks.

Standard scanning tools (even those specifically designed for web applications) may be ineffective at identifying vulnerabilities such as broken access controls, business logic abuse, impersonation attacks, or other non-standard, functionality-specific vulnerabilities. So under numerous circumstances, penetration testing is necessary to verify all information security aspects.

What Is Penetration Testing?

Penetration testing is a critical risk management tactic alongside vulnerability scanning and security testing. “Pen testing” simulates malicious attacks and data breaches through ethical hacking to determine whether your incident response and information security controls are adequate, functioning correctly, and able to withstand a cyberattack.

During the pen test, information security policy experts exploit security vulnerabilities in a simulated environment so that you can remediate them through improved security measures (typically through a combination of tools and a business continuity management).

What Are the Types of Penetration Testing?

Given that engagements vary in emphasis, depth, and duration, it’s critical to be aware of the different types of penetration testing before choosing to implement them into your risk management process. The following are typical ethical hacking projects:

Internal and External Infrastructure Testing for Vulnerabilities

A thorough review must be conducted of the network infrastructure, including routers, switches, and system hosts, both on-premises and in the cloud.

You may implement internal penetration tests concentrating on resources inside the business network and external penetration tests focusing on infrastructure accessible over the internet. You must know the number of sites, network subnet size, and internal and external IP addresses to scope a test accurately.

Testing for Wireless Penetration

Wireless penetration tests target WLAN (Wireless Local Area Networks) in businesses and Bluetooth, ZigBee, and Z-Wave wireless protocols. These aid in locating malicious access points, encryption flaws, and Wi-Fi Protected Access (WPA) vulnerabilities.

The number of wireless and guest networks, locations, and distinct service set identifiers (SSID) must be evaluated to scope an engagement.

Testing Web Applications

Web application testing examines websites and bespoke web applications to find code, design, and development errors that could be maliciously exploited. Determine the number of applications that require testing and the number of static pages, dynamic pages, and input fields that need to be evaluated before implementing test procedures.

Testing Mobile Applications

Testing mobile apps on different operating systems, such as iOS and Android, help find problems with session handling, data leaking, authentication, and authorization. Testers need to know the operating system types and versions and the number of application programming interface (API) calls. In addition, the jailbreaking and root detection specifications are necessary to scope a test.

Review of Build and Configuration

A review of network builds and settings is necessary to find misconfiguration errors in web and app servers, routers, and firewalls. To properly scope this engagement, it is essential to know how many builds, operating systems, and application servers are going to be examined.

Social Engineering

Evaluate your employees’ capacity to recognize and respond to email phishing attempts. Using targeted phishing, spear phishing, and business email compromise (BEC) attacks, gain detailed information about the potential threats.

White Box Testing

White-box penetration testing (sometimes also known as crystal or oblique box pen testing) gives the tester advanced knowledge of how the network operates, so he or she can test systems more directly. The tester typically has all network and system details, including network maps and passwords, to save time and lower the total engagement cost. In addition, a white box penetration test helps simulate a targeted assault by using as many attack paths as feasible on a particular system.

Black Box Testing

In a black-box penetration test, the tester receives no information; instead, the tester mimics an unprivileged attacker’s strategy from initial access and execution until exploitation. This is the most realistic scenario, since it shows how an opponent without inside information would target and compromise an organization. It is also the most time-consuming and costly method.

Gray Box Testing

Only a small amount of information (typically login information) is disclosed to the tester for a gray-box test, also called a transparent box test. Gray box testing determines the degree of access and potential harm a privileged person may have to mimic an insider threat or an assault that has infiltrated the network perimeter. Gray-box tests find a balance between depth and efficiency.

What Are the ISO 27001 Penetration Testing Requirements?

ISO controls set of Annex A (specifically, A.12.6.1, of ISO 27001:2013) states: “Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk.”

Penetration testing satisfies these requirements by providing a gap analysis via a simulated malicious attack. It should be conducted by certified professionals who offer penetration testing services. Nonconformity findings provide the basis for corrective actions to improve your existing information security standards.

How Does Penetration Testing Work?

You will develop a scope with your pen tester that covers your security objectives, testing plans, and any regulatory or contractual requirements for your business.

Testing may include external tests to detect IP address issues, web application vulnerabilities, and more. It may also include internal testing measures that analyze your network devices and operating systems and detect internal vulnerabilities, such as weak passwords, outdated software, poorly coded websites, and insecure applications.

Once testing is complete, the tester and client company conduct a post-mortem analysis by reviewing documented vulnerabilities and details, and assessing the severity of potential threats. You can then consider your pen tester’s recommendations and chart a path for corrective actions to drive continual improvement.

Penetration testing can be broken down into five stages:

Preparation and Research

The first stage is establishing the scope and objectives of a test, along with the systems to be tested and the testing techniques to be applied.

It collects information (such as network and domain names, mail servers, and so forth) to learn more about a target’s operations and potential weaknesses.


The next step is to know how the target application will react to different intrusion attempts. Usually, this is accomplished using:

  • Static analysis. Analyze the source code of a program to predict how it will function when executed. These tools can scan the entire code in a single pass.
  • Dynamic analysis. Examine the code of a running application. This scanning is more helpful since it gives a real-time picture of an application’s functionality.

Obtain Entry

This step involves identifying a target’s weaknesses via web application assaults such as cross-site scripting, SQL injection, and backdoors. To understand the harm these vulnerabilities may do, testers attempt to exploit them, often by elevating their privileges, stealing data, and intercepting communications.

Maintaining Access

This stage’s aim is to determine whether the flaw can be used to establish a persistent presence in the exploited system – long enough for a malicious actor to obtain in-depth access. To steal the most sensitive data from a company, sophisticated continuous attacks are imitated; some may stay in your system for months.


The penetration test findings are then put into a report with the following information:

  • Certain flaws that were exploited
  • Ability to access to private information
  • Technical risk briefing
  • Advice for corrective actions
  • Strategic recommendations

What Are the Benefits of Penetration Testing?

Penetration testing is essential for various reasons, well beyond simply following compliance obligations. Look at these four advantages that penetration testing may provide for you.

Manage Vulnerabilities Wisely

To make sense of data security, penetration tests often happen in conjunction with a vulnerability scan. This allows your business to prioritize the top security issues and better coordinate your security policies. In addition, the data you obtain from the pen test will allow you to deploy security resources more wisely, prioritize remediation, and install required security fixes.

With this information, you can more skillfully address any vulnerabilities that may be present and address those that may cause more severe issues. Knowing this and using it to your advantage can help close the security gap between your company and malicious actors, giving you greater control over your security posture.

Save Money by Avoiding Network Outages

System breaches can cause all manner of unexpected and unwanted costs: remediation costs, legal costs from regulatory investigations, possible monetary penalties from regulators; plus lost revenue from systems being off-line or would-be customers deciding not to do business with an organization that has poor cybersecurity.

Penetration testing helps companies avoid those headaches by helping you answer questions such as:

  • How much harm was caused?
  • How long will it take to correct the situation and ensure that enemies haven’t advanced via your network?
  • What impact will this have on the business’s operations? It could be challenging to swiftly fix the problem and protect your business so everything can start working again.

Observe Regulations and Stay Out of Trouble

Penetration testing is one of many tools to help maintain compliance with various regulations and frameworks. You may avoid paying potentially steep fines by conducting penetration tests on your systems. And while you are saving yourself from fines, it is still advisable to go beyond “check the box compliance” to protect your firm and promote growth.

Maintain the Goodwill of Your Customers and the Reputation of Your Business

No business wants unflattering media headlines about a data breach. Protecting your data and avoiding data breaches are imperative to protect the reputation of your business and maintain customer goodwill.

Active security policies and testing demonstrate that you care about the security of the individuals you work with and speak loudly to stakeholders. It also creates a culture of cyber-hygiene and accountability among employees.

How Frequently Should You Do ISO 27001 Penetration Testing?

Penetration testing is a critical element for any ISO 27001-compliant IT system, so testing should be done throughout your system’s lifecycle – from initial planning to execution, and continually as part of your standard maintenance program.

Information asset management has inherent technical vulnerabilities that need continuous monitoring and improvement because, just as innovation increases, criminal innovation does too. As a result, cybercriminals regularly find new ways to penetrate rock-solid security measures.

Penetration testing should occur as soon as you have pinpointed the assets that are to be included in your risk assessment and testing agreement. During post-mortem analysis, you and your information security experts should also determine an appropriate frequency for re-testing in the future.

Automate ISO 27001 Vulnerability Management with Reciprocity ZenRisk

Reciprocity ZenRisk is a suite of integrated cybersecurity risk management software. It is a turnkey solution for quick implementation. The content library is preloaded with various frameworks and templates, making ISO certification a breeze. Evidence cross-mapping enables you to fulfill requirements for various frameworks simultaneously, including NIST and GDPR.

Reciprocity ZenRisk features automated workflows and task tracking to eliminate manual follow-ups. User-friendly dashboards provide visibility to vulnerabilities and internal audits can be performed in just a few clicks. This way you know where to focus your resources.

Worry-free cybersecurity risk management is the Zen way. Contact us today to schedule a demo!