Does ISO27001 Require Penetration Testing?

What is ISO 27001?

ISO 27001 is a leading international Information Security Management Systems (ISMS) standard. Achieving ISO 27001 compliance demonstrates to clients that your organization takes data protection seriously and has a secure ISMS. In 2022, the standard underwent a significant update, moving from ISO27001:2015 to ISO27001:2022 and introducing new controls.

To achieve or maintain ISO 27001 compliance, several mandatory controls, including annual penetration testing, are referenced in sections A.5.36 and A.8.8. Both ISO 27001:2015 and ISO 27001:2022 require an external third party to perform penetration testing. This article will discuss the requirements for satisfying the penetration testing control outlined in ISO 27001.

Does ISO 27001 require penetration testing?

In essence, ISO 27001 mandates penetration testing for all external systems. Vulnerability scans can serve as alternatives for systems that hold non-sensitive data, but for custom-made applications, especially for SaaS companies, a penetration test is necessary to obtain a report that highlights the results of the assessment.

You may be curious about the distinction between vulnerability scans and penetration tests. Simply put, vulnerability scans are automated tools that use computer logic to detect application vulnerabilities. However, this method has limitations, such as the inability to effectively test specific vulnerabilities, such as broken access controls or business logic issues. On the other hand, a penetration test is a manual process in which ab ethical hacker methodically examines every aspect of the application for potential security vulnerabilities that can put the application or its users at risk of attack.

What is Penetration Testing?

A penetration test involves an ethical hacker who simulates the methods of actual cyber threats to breach the targeted assets. The scope of the test is usually defined before the test begins, and your penetration testing provider will work with you to understand the scope and determine what is included and excluded. Some clients may opt out of specific testing methods, such as Denial of Service, to avoid potential availability issues. There are various types of penetration tests, each with different objectives; the most common ones (and their objectives) are listed below:

1. Web application penetration testing: The goal of web application penetration testing is to uncover vulnerabilities in an organization's web applications, which may include customer-facing SaaS applications or healthcare organizations that use Electronic Health Record (EHR) solutions. The testers aim to exploit weaknesses in the web application logic to compromise the application and access sensitive information. With hundreds of successful web application penetration tests, MCG has consistently delivered positive results to its customers.
2. Mobile application penetration testing: Mobile application penetration testing aims to identify security issues and vulnerabilities in Android or iOS applications. This type of testing typically involves a combination of static and dynamic analysis, although many consultancies prefer only to use dynamic analysis. MCG has expertise in statically evaluating mobile application binaries and provides insightful results to its clients.
3. Scenario-based internal penetration testing: Aims to identify security vulnerabilities in an organization's internal infrastructure, systems, and processes that can be exploited by a malicious insider or an attacker who has gained access to the internal network. Testers are usually provided with a standard Active Directory account and attempt to gain Domain Administrator in the environment and highlight how they did. MCG is proud to have achieved Domain Admin in 95% of the Active Directory environments we have assessed.
4. Cloud configuration review: During a cloud configuration review, a consultant with Cloud Security certification will examine the cloud services in use and identify any misconfigurations or security gaps that could put your organization at risk. Many organizations have a false sense of security when using the cloud due to the shared responsibility model. They may not be aware of the potential risks to their environment. This issue is compounded by the increasing number of data breaches on cloud platforms, highlighting the extent of the problem.

How Does Penetration Testing Work?

The following outlines our typical penetration testing process. While some company variations may exist, this flow generally represents the process. We begin with a scoping call to assess your needs and then present a formal proposal that includes our methodology, financial and human resources costs, and other relevant information. After the proposal is accepted, a Project Manager will assign the project to a consultant who will conduct the testing and provide regular updates (either weekly or bi-weekly, based on your preference). Upon completion, the results are documented in a comprehensive report, which is then presented and handed over to your team. As a gesture of good faith, we offer free retesting to all our clients, which can be redeemed within six months of project conclusion.

1. Discovery call: Introduction with our consultants and understanding your security concerns
2. Technical Scoping: Our consultants collaborate with your team to define scope of work and create a proposal.
3. Scheduling: We match your project with the best consultants with the right skill set.
4. Engagement: We keep you engaged with daily or weekly status updates to track project progress.
5. Reporting: Creation of reports with business impact, risk and tailored remediation steps
6. Read Out call: We sit down with your technical team and walk through the report items and answer any questions your development team may have
7. Free Retesting: We retest all of the identified issues and attempt to bypass any fixes your developers have pushed.

How Often Does ISO27001 require penetration testing?

Both ISO 27001:2015 and ISO 27001:2022 require annual penetration testing to maintain the certification and remain compliant. Although not required, we always recommend penetration testing external systems if any significant shifts have happened (i.e. new version release, adding new features, etc.).

I still have questions; where do I get more information?

Mand Consulting Group provides complimentary cybersecurity consultations, and our supportive sales team can be reached in various ways. To arrange a virtual appointment, book a time slot on our Calendly page, which can be accessed here. If email is more convenient, our 24/7 monitored email address is contact@mandconsulting.ca. If you prefer traditional methods, you can also reach us at our toll-free number +1 866-493-6263