ISO 27001 Penetration Testing

IT Governance is a CREST member company with a distinguished history of providing best-practice vulnerability scanning and penetration testing services.

Counteract attacks before they happen with CREST- approved penetration testing

Your information technology assets are susceptible to numerous technical vulnerabilities, making them prime targets for external attacks.

Our penetration testing team will provide you with clarity and technical expertise, as well as peace of mind that your assets have been reviewed by experienced testers in line with your business requirements.

Why should you conduct a penetration test?

Automated and indiscriminate attacks target vulnerabilities in hardware and software irrespective of the type or size of organisation.

These vulnerabilities include unpatched software, inadequate passwords, poorly coded websites and insecure applications.

You should carry out a penetration test once you have identified the assets to be included in the scope of your ISMS (information security management system).

The test results will identify vulnerabilities in detail, together with the threats that can exploit them, and will usually also suggest appropriate remedial action.

The identified threats and vulnerabilities will then form a key input to your risk assessment, while the suggested corrective action will inform your selection of controls.

Why is penetration testing important for ISO 27001 compliance?

Penetration testing involves simulating a malicious attack against the security measures under test, often using a combination of methods and tools.

A certificated, ethical professional tester conducts the tests. Their findings provide a basis upon which security measures can be improved.

Penetration testing is an essential component of any ISO 27001 ISMS, from initial development to maintenance and continual improvement.

ISO 27001:2022 Annex A objective 8.8 (Management of technical vulnerabilities) states that “information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken”.

How does penetration testing fit into my ISO 27001 project?

Penetration testing is important at specific points in your ISMS project:

  • The risk assessment process: uncovering vulnerabilities in any Internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats.
  • The risk treatment plan: ensuring that implemented controls work as designed.
  • Continual improvement processes: ensuring that controls continue to work as required, and that new and emerging threats and vulnerabilities are identified and dealt with.

Free PDF download: Penetration Testing and ISO 27001

Free PDF download: Penetration Testing and ISO 27001 – Securing
your ISMS

Download this free green paper to learn how penetration testing fits into an ISMS project. Understand the importance of testing to ISO 27001 risk assessments, how testing can demonstrate compliance with the Annex A controls and help continually improve your ISMS, and more.

Download now

How does IT Governance penetration testing work?

Once we have agreed on a scope of work with you, we will agree on detailed testing plans, considering your security objectives and your business, regulatory and contractual requirements.

Our professional testing team will then execute the agreed tests:

  • External tests, focusing on Internet-facing IP addresses, web applications and other such services.
  • On-site tests, focusing on the devices – including wireless devices – that make up your network, and the various applications and operating systems that run on them.

Once we have completed our tests, we will produce a detailed report that sets out our findings. This report will include an assessment of any vulnerabilities, and our recommendations for appropriate remediation.

Discover our full range of penetration testing services today

LEARN
FOR LESS
SAVE 25%