How does penetration testing fit in with your ISO 27001 ISMS project?

If you are about to start implementing an ISO 27001-compliant ISMS (information security management system), then you should probably know that there is a tight link between a successful ISMS implementation project and penetration testing.

An ISMS covers three key components: people, processes and technology. Of these, your information technology assets may have technical vulnerabilities that could be exploited by external attacks. Unpatched software, inadequate passwords and insecure applications are a few examples of vulnerabilities that can put your entire ISMS project at risk.

Penetration testing is vital to ensuring that your technology is secure.

Through manual testing and automated scans, a penetration test analyses the assets within the scope of your ISMS to identify existing vulnerabilities. A test report will provide detailed information about those vulnerabilities, the corresponding threats that could exploit them and guidance about appropriate remedial action. The identified vulnerabilities and threats can be included in your risk assessment, and the recommended remedial actions can help inform your selection of controls when it comes to risk treatment.

Penetration testing is essential to establishing an effective ISMS, and is required at three different stages of the project:

  1. Risk assessment process
  2. Risk treatment plan
  3. Ongoing continual improvement processes

Download the green paper Penetration Testing and ISO 27001 to discover in detail how penetration testing fits in with your ISO 27001 ISMS project.