This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here

Jump to navigation

ISO 27001 Pen Testing

IT Governance has a distinguished history of providing penetration testing services that test the security of your networks and applications, whilst retaining a broad vision of your business and security objectives. We follow best-practise guidelines and produce results that your business can use to build on and move forward.

This page provides a quick introduction to the concept of Penetration testings, along with an overview of the products and services we can offer you to help you find and fix the gaps in your security.

What is Penetration Testing?

Cyber attacks are a risk for every business, whatever their size. Penetration Testing establishes whether or not your internet security will actually withstand external threats, and whether or not it is adequate and is functioning correctly.

Effective Penetration Testing involves the simulation of a malicious attack against the security measures under test, often using a combination of methods and tools, and conducted by a certificated, ethical professional tester. The resulting findings provide a basis upon which security measures can be improved.

To view our penetration packages click here

Email one of our security services team to discuss ISO 27001 Pen Testing, or call us on 0845 070 1750.

Why should you conduct a Penetration Test?

Efficient and routine Penetration Testing of your system is the only way of establishing that your networks and applications are genuinely secure against today’s automated cyber attacks.

Penetration testing is also an essential component in any ISO 27001 ISMS - from initial development through to ongoing maintenance and continual improvement. As iterated in ISO 27001, control objective A.12.6 requires the management of technical vulnerabilities, and states that “information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.”

The nature of information technology assets is that they may have many technical vulnerabilities, that might be exploited by external attacks. Attacks which are simply automated and indiscriminate, targetting identifiable vulnerabilities in hardware and software irrespective of the organisation that has them. These vulnerabilities include un-patched software, inadequate passwords, poorly coded websites and insecure applications.

The logical point at which you should carry out a penetration test is once you have identified the assets that are to be included in the scope of your ISMS. The penetration test results will identify vulnerabilities in detail, together with the threat that can exploit them, and will usually also identify appropriate remedial action. The identified threats and vulnerabilities will then form a key input to your risk assessment, while the identified remedial action will inform your selection of controls.

Email one of our security services team to discuss ISO27001 Pen Testing, or call us today on 0845 070 1750.

How does Penetration Testing fit into my ISO 27001 project?

There are specific points in your ISMS project where penetration testing has a significant contribution to make as part of:

  • the risk assessment process: uncovering vulnerabilities in any internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats.
  • the Risk Treatment Plan, ensuring that controls that are implemented do actually work as designed.
  • the ongoing corrective action/preventive action (CAPA) and continual improvement processes, ensuring that controls continue to work as required and that new and emerging threats and vulnerabilities are identified and dealt with.

Email one of our security services team to discuss ISO 27001 Pen Testing, or call us today on 0845 070 1750.

How does the ITG Security Testing Ltd service actually work?

Once we have agreed a scope of work with you, we will then agree detailed testing plans in the light of your security objectives, taking into account your business, regulatory and contractual requirements.

Our professional testing team will then execute the agreed tests; these tests are likely to be:

  • External tests, focusing on internet-facing IP addresses, web applications and other such services; and
  • On-site tests, focusing on the devices – including wireless devices - that make up your network, and the various applications and operating systems that run on them.

Once we have completed our tests, we produce a detailed and documented report, that sets out clearly what we have found, together with an assessment of its severity, and we also then recommend appropriate remediation action.

Email one of our security services team to discuss ISO 27001 Pen Testing, or call us today on 0845 070 1750.

ISO27001 Solutions


Penetration Testing Services Procurement Guide

Buy now

+44 (0) 845 070 1750
live chat support software