ISO 27001 is a leading international Information Security Management Systems (ISMS) standard. Achieving ISO 27001 compliance demonstrates to clients that your organization takes data protection seriously and has a secure ISMS. In 2022, the standard underwent a significant update, moving from ISO27001:2015 to ISO27001:2022 and introducing new controls.
To achieve or maintain ISO 27001 compliance, several mandatory controls, including annual penetration testing, are referenced in sections A.5.36 and A.8.8. Both ISO 27001:2015 and ISO 27001:2022 require an external third party to perform penetration testing. This article will discuss the requirements for satisfying the penetration testing control outlined in ISO 27001.
In essence, ISO 27001 mandates penetration testing for all external systems. Vulnerability scans can serve as alternatives for systems that hold non-sensitive data, but for custom-made applications, especially for SaaS companies, a penetration test is necessary to obtain a report that highlights the results of the assessment.
You may be curious about the distinction between vulnerability scans and penetration tests. Simply put, vulnerability scans are automated tools that use computer logic to detect application vulnerabilities. However, this method has limitations, such as the inability to effectively test specific vulnerabilities, such as broken access controls or business logic issues. On the other hand, a penetration test is a manual process in which ab ethical hacker methodically examines every aspect of the application for potential security vulnerabilities that can put the application or its users at risk of attack.
A penetration test involves an ethical hacker who simulates the methods of actual cyber threats to breach the targeted assets. The scope of the test is usually defined before the test begins, and your penetration testing provider will work with you to understand the scope and determine what is included and excluded. Some clients may opt out of specific testing methods, such as Denial of Service, to avoid potential availability issues. There are various types of penetration tests, each with different objectives; the most common ones (and their objectives) are listed below:
The following outlines our typical penetration testing process. While some company variations may exist, this flow generally represents the process. We begin with a scoping call to assess your needs and then present a formal proposal that includes our methodology, financial and human resources costs, and other relevant information. After the proposal is accepted, a Project Manager will assign the project to a consultant who will conduct the testing and provide regular updates (either weekly or bi-weekly, based on your preference). Upon completion, the results are documented in a comprehensive report, which is then presented and handed over to your team. As a gesture of good faith, we offer free retesting to all our clients, which can be redeemed within six months of project conclusion.
Both ISO 27001:2015 and ISO 27001:2022 require annual penetration testing to maintain the certification and remain compliant. Although not required, we always recommend penetration testing external systems if any significant shifts have happened (i.e. new version release, adding new features, etc.).
Mand Consulting Group provides complimentary cybersecurity consultations, and our supportive sales team can be reached in various ways. To arrange a virtual appointment, book a time slot on our Calendly page, which can be accessed here. If email is more convenient, our 24/7 monitored email address is firstname.lastname@example.org. If you prefer traditional methods, you can also reach us at our toll-free number +1 866-493-6263