This website uses cookies. View our cookie policy
United Kingdom
Select regional store:

Penetration testing as a component for obtaining ISO 27001 certification

An essential component of ISO 27001 compliance (and potentially for achieving certification) is performing a penetration test. With penetration testing, organisations can effectively identify where to make improvements to the information security management system (ISMS), and it also forms part of an effective continual improvement regime.


Penetration testing is an essential component of any ISO 27001 ISMS, from initial development through to ongoing maintenance and continual improvement.

ISO 27001 control objective A12.6 (Technical Vulnerability Management) states that “information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk”.


The importance of testing your ISMS

An ISMS is a set of policies and procedures for systematically managing an organisation’s sensitive data. The goal of an ISMS is to minimise risk and ensure business continuity by proactively limiting the impact of a security breach.

However, the evolving nature of IT means that new technical vulnerabilities are constantly appearing that could be exploited by attackers. Automated and indiscriminate attacks target identifiable vulnerabilities in hardware and software irrespective of the organisation. These vulnerabilities include unpatched software, inadequate passwords, poorly coded websites, rogue wireless access and insecure applications.


How does penetration testing fit into my ISO 27001 ISMS project?

Penetration testing helps identify vulnerabilities and provides detail about the vulnerability and associated threat, and includes guidance about appropriate remedial action. The identified threats and vulnerabilities will form a key input to your security (penetration) testing and ISO 27001 risk assessment, and the remedial steps will inform your selection of controls.

  • A penetration test contributes significantly to your ISMS project as part of the risk analysis process. Vulnerabilities in web applications, internal systems and applications are exposed and related to identifiable threats.
  • As part of the risk treatment plan that allows you to ensure that all implemented measures work as intended.
  • As part of the continual improvement of processes to ensure that measures are working properly and that new and emerging threats and vulnerabilities are identified and corrected.


Our solution

What can you expect from a penetration test?

Our approach

What will my service cover?

IT Governance’s testing portfolio covers a wide range of applications, networks and devices.

Our CREST-certified testers will test your network infrastructure and information systems to see how far an attacker would actually be able to progress within your cardholder data environment.

Once we have agreed a scope of work with you, we will agree detailed testing plans, taking into account your security objectives and your business, regulatory and contractual requirements.

Our professional testing team will then execute the agreed tests:

  • External tests, focusing on Internet-facing IP addresses, web applications and other such services.
  • On-site tests, focusing on the devices – including wireless devices – that make up your network, and the various applications and operating systems that run on them.
  • A review of the CDE to identify information that would be useful to a criminal hacker.
  • Manual tests to try to exploit the ISMS and gain user-level or privileged access.
  • Automated vulnerability scans.
  • Immediate notification of any critical vulnerabilities to help you take action fast.
  • A detailed technical report that identifies and explains the vulnerabilities (ranked in order of significance).
  • Recommended countermeasures to address any identified vulnerabilities.
  • An executive summary that explains what the risks mean in business terms.


Get in contact

We have a team of account managers and security consultants available to discuss your penetration testing challenges. For more information, please get in contact.


Speak to an expert

Please contact us for further information or to speak to an expert.

Contact us