A question that often arises when implementing ISO 27001 is whether a penetration test is required to achieve compliance.
While the standard doesn't explicitly demand it, auditors do typically expect to see penetration testing performed in most circumstances.
Why is that?
Because penetration testing can help inform your risk assessment processes, as well as help to evaluate the effectiveness of security controls implemented to treat risks. Accordingly, while the ISO 27001 standard does not explicitely mention penetration testing, the guidance for implementing its controls in ISO 27002 does refer to penetration testing as something to be considered.
Which Annex A controls are addressed by penetration testing?
While penetration testing isn't explicitly required for ISO 27001 compliance, it's highly recommended and often expected by auditors. It helps meet several key controls related to managing technical vulnerabilities, configuration management, and security testing in development.
Depending on your technology stack and the nature of the risks that you are treating, penetration testing can help assess the effectiveness of a number of controls including:
A.8.8 - Management of Technical Vulnerabilities:
This control emphasises identifying, evaluating, and fixing technical vulnerabilities. Penetration testing is a great fit for this, as it mimics real-world attacks to reveal potential security weaknesses.
A.8.9 - Configuration Management:
This control ensures your system configurations are secure. Penetration testing can spot vulnerabilities caused by misconfigurations, such as default settings, open ports, or misconfigured security settings.
A.8.25 - Secure Development Life Cycle:
This control helps ensure that information security is designed and implemented within the secure development life cycle of software and systems.
A.8.29 - Security Testing in Development and Acceptance:
This control focuses on testing security both during development and before deployment, in order to catch vulnerabilities early. Penetration testing plays a key role in identifying these weaknesses, allowing teams to address potential threats before they become real risks.
A.5.35 - Independent review of information security:
When performed by a third party, an independent penetration test provides an unbiased assessment of an organisation's security. This can help satisfy this ISO 27001 requirement for undertaking an independent review of information security.
A.5.21 - Managing Information Security in the ICT Supply Chain:
Penetration testing isn’t just valuable for your own security – it can be a great tool for checking how well your suppliers protect their systems, too. When reviewing security in your supply chain, a penetration test can reveal hidden risks and help ensure security standards have been met before you share sensitive data.
Additional requirements for penetration testing
While helping to address the controls outlined above, penetration tests are also subject to ISO 27001 requirements relating to their scoping, planning and execution:
8.34 - Protection of information systems during audit testing:
This control is all about keeping audit and assurance activities - like penetration testing - smooth and seamless. With the right planning, approval and delivery, penetration testing can do what it’s meant to: strengthen security without causing unnecessary disruptions.
Choosing a reputable penetration testing provider is the key to meeting these requirements. Using a CREST-accredited penetration testing company offers significant benefits for organisations seeking to ensure the safety and quality of their cybersecurity assessments. This ensures that penetration tests are conducted by qualified professionals using industry-recognised best practices, reducing the risk of oversight or error. Additionally, CREST-accredited firms are regularly audited, which promotes continuous improvement and accountability.
At the end of the day, penetration testing should reduce risk for the organisation, not introduce new risk. Selecting a reputable provider helps ensure a quality assessment that meets the requirements of ISO 27001, without putting your organisation at risk.
Need assistance?
If you require assistance with either ISO 27001 or CREST accredited penetration testing, we're here to help. Acumenis supports organisations Australia wide, with local specialists in Brisbane and South East Queensland. Contact Acumenis for assistance with your current security challenges.