This website uses cookies. View our cookie policy
United Kingdom
Select regional store:

Penetration Testing

Penetration testing, also referred to as ‘pen testing’, is an effective method of determining the security of your networks and web applications, helping your organisation to identify the best way of protecting its assets.

Understanding the vulnerabilities you face allows you to focus your efforts, rather than using broad methods that may need heavy investment without a guarantee that the vulnerabilities in your systems have been addressed.


What is penetration testing?

Penetration testing is a systematic process of probing for vulnerabilities in your applications and networks. It is essentially a controlled form of hacking in which the ‘attackers’ operate on your behalf to find the sorts of weaknesses that criminals exploit.

View our penetration testing services here >>

The process of penetration testing involves assessing your chosen systems for any potential weaknesses that could result from poor or improper system configuration, known and unknown hardware or software flaws, and operational weaknesses in process or technical countermeasures.

An experienced penetration tester can mimic the techniques used by criminals without causing damage. These tests are usually conducted outside business hours or when networks and applications are least used, thereby minimising the impact on everyday operations.


What are the different types of penetration testing?

Why is penetration testing important?

Regular penetration testing can significantly reduce the risks your business faces. It is deemed best practice and will also help you comply with standards, frameworks, legislation and other business requirements.


Penetration testing for compliance

Our expertise in standards such as the Payment Card Industry Data Security Standard (PCI DSS), ISO 27001, the General Data Protection Regulation (GDPR) and ISO 9001 means we can offer an integrated approach, and can develop suitable solutions that will help you to reduce your risks and ensure compliance with standards, frameworks, legislation and other business requirements.


ISO 27001 control objective A12.6

Penetration testing is valuable at various stages of implementing and maintaining an ISO 27001-compliant information security management system (ISMS), from initial development through to continual improvement.

ISO 27001 control objective A12.6 (Technical vulnerability management) states that “information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk”. Penetration testing can make a significant contribution to your ISMS project as part of:

  • The risk assessment process: uncovering vulnerabilities in any Internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats;
  • The risk treatment plan: making sure that controls actually work as designed; and
  • Ongoing continual improvement processes: making sure that controls continue to work as needed and that new and emerging threats and vulnerabilities are identified and dealt with.


Requirement 11 of the PCI DSS

PCI compliance, especially for Reports on Compliance and some self-assessment questionnaires, requires internal and external vulnerability scans, and frequent penetration tests.

PCI DSS requirement 11.3 addresses penetration testing, which should include network and application layer testing, as well as controls and processes around the networks and applications, and should be conducted from outside and inside the network. The goals of penetration testing in this case are to:

  • Determine whether and how a malicious user could gain unauthorised access to assets that affect the fundamental security of the system, files, logs and/or cardholder data; and
  • Confirm that the controls required by the PCI DSS are in place and effective.



When should you consider carrying out a penetration test?

  • You are concerned about security attacks on other, similar organisations.
  • You are using a greater number of outsourced services.
  • You are introducing significant changes to operational processes.
  • You are developing business applications or IT infrastructure.
  • You need an independent assessment because of legal/regulatory or customer requirements.


Advantages of completing a penetration test

By implementing a regular penetration testing regime, you can continually measure and improve the security performance of your systems and networks.

Accurately evaluate your organisation’s ability to protect itself

Get detailed information on actual, exploitable security threats

More intelligently prioritise remediation, apply necessary security patches and allocate security resources

Businesses are exposed to a host of potential threats, and each might be able to exploit hundreds of vulnerabilities. Such vulnerabilities are open to potentially devastating attacks, such as SQL injection. Things as apparently benign as error pages can give attackers enough information to exploit a less obvious and much more harmful vulnerability.

Taken on their own, small vulnerabilities may appear negligible, but hackers often seek out these weaknesses to create intrusion sequences to pry open security gaps into much larger weakness. These gaps are often overlooked by the company or automated security systems, but pen testers will be able to identify such points of entry by replicating hackers’ methods.

The final step of a penetration test is reporting the vulnerabilities. Unlike automatically generated reports from tools that offer generic remediation tips, penetration test reports can rank and rate vulnerabilities according to the scale of the risk and the company’s budget.

Key resources

Why IT Governance for penetration testing?

IT Governance is a CREST-accredited provider of security penetration testing services. Our services help organisations of all sizes to effectively manage cyber security risk by identifying vulnerabilities that could lead to infrastructure, applications, wireless networks and people being attacked.

Our penetration testing team is able to support your organisation and develop your cyber assurance strategy as part of a mature risk management strategy. The benefits:

  • CREST-certified penetration testing team.
  • Experienced across a diverse set of disciplines (web apps, servers, firewalls, Wi-Fi).
  • Expertise in standards such as the PCI DSS, ISO 27001, the GDPR and ISO 9001.
  • Testimonials across different industries and customers.
  • Sample reports available.

Click here to


Speak to an expert

Please contact us for further information or to speak to an expert.

Contact us