ISO 27001 is a globally recognised Information Security Management Systems (ISMS) standard. Having made a name for itself by giving companies of all sizes the processes and strategies needed to fight cybercrime, ISO 27001 continues to increase in notoriety. 

Important for helping organisations to govern standards and operate in a cyber secure manner, an ISMS is at the heart of a business. The requirements of ISO 27001 state that under Annex A (A.12.6.1), all technical vulnerabilities must be sufficiently managed. This requirement is where many tend to come unstuck, as the rationale behind this seems unclear to everyone. 

This article will explore the option of penetration testing and confirm what is required by ISO 27001. Keep reading to find out and to learn how you can implement some simple security measures for a big impact.

What Is Penetration Testing and Why Is It Relevant to ISO 27001?

Penetration testing is a ‘systematic process of probing for vulnerabilities within a network’. This includes conducting different forms of testing to see how strong a security barrier is. By operating in the same way that a malicious attacker would target a business, penetration testers aim to access crucial company information via different hacking techniques. 

As these testers know the latest cybercrime, they can simulate a genuine attack. This is, of course, carried out with the safety and protection of data in mind. The idea is that nothing within the ISMS can be reached by, unfortunately for most, at least a small proportion of data is usually compromised. 

Penetration testing is highly relevant to ISO as the various controls are designed to function together by providing robust protection when correctly configured. Supporting the safe inputs of third parties, external agencies, and even employees from overseas, penetration testing, when applied to ISO shows the success of the policies and processes that have been implemented. With the cost of an ISO 27001 certification starting at around £4,400, the last thing that companies want is to pay for the compliance and put new measures in place to then find that they are not providing substantial protection. 

Is Penetration Testing Compulsory for ISO 27001?

You are here to learn if penetration testing is compulsory for ISO 27001. The simple answer is no, but the correct one, in our opinion, is yes. Let us explain. 

Many ISO certifications, including 27001, base their success on the level of alignment businesses have with the controls. If you take the time to look at how many controls there are in ISO 27001, the route to becoming compliant can be complex. While some elements can be controlled via vulnerability management, penetration testing is the best option for the closest adherence to the correct requirements. 

This applies to IT systems and digital software in particular, so if your business has a strong cloud or virtual network, it is also a good idea to conduct penetration testing. As you read through the multitude of supporting information, you will also find that penetration testing is mentioned or at least alluded to many times. The need to test and audit each control allows ISO experts to see at a glance if a company is fully compliant. 

As ISO experts, although penetration testing is not compulsory for ISO 27001, we highly recommend that you carry it out regularly.

Why Is Penetration Testing for ISO 27001 Important?

Audit Trails

If you have read our blog about what ISO 27001 is, you will know that audits are paramount to achieving and retaining the certification. Penetration testing can be included within the audit documentation to show firm results regarding how resilient a company’s cyber security is. 

This positively impacts the legitimacy and accuracy of the information being gathered. This real-time information is also one of the reasons we don’t believe ISO 27001 is outdated, as it actively encourages gathering new information to meet the published controls.

Employee Exposure to Risk

Another reason many organisations require ISO 27001 is that it provides the tools to protect and empower people. 

Conducting penetration testing is a great way to get employees and other stakeholders involved and inform them of how the processes have been formulated to protect their business. As well as encouraging strong operations, this also gives a business more chance of preventing employee errors that could lead to a data breach occurring.

Strategic Planning

Last but not least, strategic planning is much easier if penetration testing has been conducted. 

This is because the results can be used to inform decision making and also test any new ideas before they are formally added to the ISO-audited processes.

What Are the Main Types of Penetration Testing?

If you agree with us that penetration testing is an excellent task, you should also be informed about the various types of testing that are available. 

Web and software applications are one of the main tools that must be tested as they involve third-party programmes being used. Security tools such as SSL’s are vital to a penetration test not being successful as aspects such as the code and automation features are tested. Testing these applications also forms one of the ways that ISO 27001 covers GDPR, as it directly looks at platforms on which customers may input details. Other forms of software penetration testing include mobile applications and wireless app testing.

You may have also seen different coloured boxes referred to when discussing penetration testing. Grey, black and white testing are all different activities that can be undertaken to assess an organisation’s ISMS. 

Black box testing is the name given to a scenario where the penetration tester has no prior knowledge of the system. This replicates hacking most similarly, requiring the hacker to start from scratch to access information. As you can probably figure out from this description, grey testing means some information is provided, and white testing means all company details have been offered up in advance. They are all relevant types of testing and can be used efficiently depending on the topic, frequency, and content being looked at.

Finally, another form of testing is human penetration testing, which refers to providing scam attempts directly to employees to see if they can identify the malicious activity. This is ideal for internal testing and is often adopted as a form of training by businesses.

What Is The Difference Between Vulnerability and Penetration Testing?

On another note, we often get asked if ISO 27001 is better than Cyber Essentials Plus, which this blog can answer by looking at the difference in testing. 

Cyber Essentials Plus used vulnerability testing to assess the controls in place. A vulnerability scan is a high-level test that views potential risks based on ISMS structure. Penetration testing goes one step further to both identify the risks and to try and weaken them. 

Therefore, in this sense, ISO 27001 is better as it completely tests the ISMS and is the closest way to emulate a genuine hack.

How Can Creative Networks Support ISO 27001 Penetration Testing?

You should now understand that penetration testing is not required for ISO 27001 but is highly recommended. 

The Creative Networks team are experts in both fields, making us the ideal candidates to support companies in carrying out professional penetration testing and ISO ISMS system configurations. As well as facilitating the actual testing, we also offer a full cyber security package, which means we can help companies decipher the results and implement the changes needed to become cyber secure. 

To learn more or to enquire about our services, contact our team.

Are you interested in learning more about ISO 27001? Check out these articles:

Share this post

Prices from £32/user

We employ our own 3CX accredited engineers, and with our partners we’re able to offer support and installation services for a whole range of other systems including NEC, Siemens, Avaya and Mitel.

Why not see what we can do for your business?

Our friendly team is ready to answer any questions you may have. If you are interested in any of our products or services, then have a discussion with us!