ISO27001 penetration testing
IT Governance is a CREST member company with a long history of providing vulnerability scanning and penetration testing services.
What is penetration testing?
Cyber attacks are a risk for every business, whatever their size, sector or location. Penetration testing simulates a malicious attack to establish whether or not your internet security is adequate, is functioning correctly, and will actually withstand external threats.
Effective penetration testing involves the simulation of a malicious attack against the security measures under test, often using a combination of methods and tools, and is conducted by a certificated, ethical professional tester. The resultant findings provide a basis upon which security measures can be improved.
Click here to view our penetration packages »
Why is it important to undertake a penetration test?
Penetration testing is an essential part of any ISO 27001 information security management system (ISMS) because it enables continual improvements to be made.
The ISO 27001 policy guidance (ISO 27001 control objective A12.6 Technical Vulnerability Management) indicates that “information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk”.
Organisations may have technical vulnerabilities that could be exploited in external attacks. Attackers are often looking for vulnerabilities in both hardware and software so that they can take advantage with malicious intent. This can include unsatisfactory passwords, poor coding, unpatched software and insecure applications.
The results of the tests will help to identify weaknesses within information security and provide information on how these weaknesses can be penetrated by an attack. These can then be used as part of the risk assessment and steps implemented to enable remedial action.
How can ISO 27001 benefit from penetration testing?
At certain points in your ISMS project, penetration testing will provide a valuable resource:
- During the risk assessment process: it will enable organisations to identify weaknesses in their security.
- During the execution of the risk treatment plan: to ensure that the implemented controls are working effectively as designed.
- An essential element of the continual improvement processes: to identify that controls continue to work as required, and that any new weaknesses identified are addressed and remedial action is taken.
How does IT Governance penetration testing actually work?
At IT Governance we have the required expertise to undertake penetration testing on your behalf. Once we have agreed a scope of work with you, we will agree the approach and the detailed testing plans, considering your security objectives, and your business, regulatory and contractual requirements.
Our professional testing team will implement the tests as follows:
- External tests, focusing on Internet-facing IP addresses, web applications and other such services.
- On-site tests, focusing on the devices – including wireless devices – that make up your network, and the various applications and operating systems that run on them.
Once we have completed our tests, you will be provided with a detailed report that clearly sets out what we have found, together with an indication of the severity of any problems, our recommendations and the proposed actions for remediation.
Let’s get started on your ISO 27001 project
Whatever the nature or size of your problem, we are here to help.
For more advice or guidance on implementing ISO 27001, please contact our team below.