Pen Testing – an important component of your ISO27001 ISMS project


Ely, England, 7 March 2012 – Cyber attacks are a risk for every business, whatever their size. Penetration Testing establishes whether or not your internet security will actually withstand external threats, and whether or not it is adequate and is functioning correctly.

Effective Penetration Testing involves the simulation of a malicious attack against the security measures under test, often using a combination of methods and tools, and conducted by a certificated, ethical professional tester. The resulting findings provide a basis upon which security measures can be improved.

Alan Calder, CEO of IT Governance, says, “With the ever-increasing risk of external attacks to websites, the continual enhancements and upgrades to a system over time, and the continual discovery of new vulnerabilities and security holes, organisations need to conduct external penetration tests at least annually. If companies have £2000 remaining budget to spend on information security until the end of the financial year, they should spend it on pen testing. “

Penetration testing is also an essential component in any ISO 27001 ISMS - from initial development through to ongoing maintenance and continual improvement. As iterated in ISO 27001, clause 4.2.1 d ‘... you must identify threats to the assets within the scope of the ISMS, and the vulnerabilities which those threats might exploit.’

There are specific points in your Information Security Management System (ISMS) project where penetration testing has a significant contribution to make:

  • As part of the risk assessment process: uncovering vulnerabilities in any internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats.
  • As part of the Risk Treatment Plan, ensuring that controls that are implemented actually work as designed.
  • As part of the ongoing corrective action/preventive action (CAPA) and continual improvement processes, ensuring that controls continue to work as required and that new and emerging threats and vulnerabilities are identified and dealt with.

IT Governance Ltd, the global leader in ISO 27001 and information security products and services, offers fixed-price penetration testing packages which are are designed to simplify security testing. Organisations can save £1000 if they book a Penetration Testing Standard Package or a Web Application Testing Package before the end of March.

Both the Penetration Testing Standard Package and the Web Application Testing Package include a comprehensive report indentifying vulnerabilities and recommended remedial activity. They are suitable for small companies with up to 20 externally facing IP addresses and up to four internal services running in a single organisation. One of the biggest benefits to organisations is that they can agree the scope of testing delivered for known and fixed benefits.  The packages are available for a limited time only at the special price of just £1,950 each.

To book online go to and You can also contact the friendly, helpful IT Governance service centre team on telephone number +44 (0)845 070 1750. Larger organisations can purchase penetration testing packages with a Purchase Order either by telephone or by email to

This website uses cookies. View our cookie policy