Penetration testing as a component for obtaining ISO 27001 certification
An essential component of ISO 27001 compliance (and potentially for achieving certification) is performing a penetration test. With penetration testing, organisations can effectively identify where to make improvements to the information security management system (ISMS), and it also forms part of an effective continual improvement regime.
Penetration testing is an essential component of any ISO 27001 ISMS, from initial development through to ongoing maintenance and continual improvement.
ISO 27001 control objective A12.6 (Technical Vulnerability Management) states that “information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk”.
The importance of testing your ISMS
An ISMS is a set of policies and procedures for systematically managing an organisation’s sensitive data. The goal of an ISMS is to minimise risk and ensure business continuity by proactively limiting the impact of a security breach.
However, the evolving nature of IT means that new technical vulnerabilities are constantly appearing that could be exploited by attackers. Automated and indiscriminate attacks target identifiable vulnerabilities in hardware and software irrespective of the organisation. These vulnerabilities include unpatched software, inadequate passwords, poorly coded websites, rogue wireless access and insecure applications.
How does penetration testing fit into my ISO 27001 ISMS project?
Penetration testing helps identify vulnerabilities and provides detail about the vulnerability and associated threat, and includes guidance about appropriate remedial action. The identified threats and vulnerabilities will form a key input to your security (penetration) testing and ISO 27001 risk assessment, and the remedial steps will inform your selection of controls.
- A penetration test contributes significantly to your ISMS project as part of the risk analysis process. Vulnerabilities in web applications, internal systems and applications are exposed and related to identifiable threats.
- As part of the risk treatment plan that allows you to ensure that all implemented measures work as intended.
- As part of the continual improvement of processes to ensure that measures are working properly and that new and emerging threats and vulnerabilities are identified and corrected.
Speak to an expert
For more information and guidance on penetration testing or packages IT Governance offers, please contact our experts who will be able to discuss your organisations needs further.