Penetration testing and ISO 27001: How do they fit together?

Before you embark on a project to implement an ISO 27001 ISMS (information security management system), you should know that there is a strong connection between your ISMS project and penetration testing.

Penetration testing (often called ‘pen testing’ or ‘ethical hacking’) establishes whether the security in place to protect a network or application against external threats is adequate and functioning correctly.

Testers use the same techniques to identify and exploit vulnerabilities as criminal hackers, but without damaging or disrupting the client’s networks or systems.

Testing can be wide-ranging or highly focused (such as a specific web application or new system), and isn’t necessarily limited to digital or electronic assets.

It can also identify physical perimeter vulnerabilities that, for example, might allow an attacker to enter the building and set up a rogue wireless access point, steal hard copy files containing sensitive information, or install a device that allows remote access to an internal network.

As you can see, then, it’s results will prove incredibly helpful when implementing ISO 27001 or reviewing your framework. But how exactly should the two work together?

When and where is penetration testing necessary?

There are three stages in your ISMS project when penetration testing can make a significant contribution:

  1. As part of the risk assessment process, to uncover vulnerabilities in any Internet-facing IP addresses, web applications or internal devices and applications, and link them to identifiable threats.
  2. As part of the risk treatment plan, to ensure that security controls work as designed.
  3. As part of the ongoing performance evaluation and improvement processes, to ensure that controls continue to work as required and that new and emerging vulnerabilities are identified and dealt with.

Meanwhile, Clause 6.1.2.c of ISO 27001 says that you must identify information security risks within the scope of the ISMS.

This involves identifying all assets and information systems within scope of the ISMS, and then identifying the risks and vulnerabilities those assets and systems are subject to.

A penetration test can help identify these risks and vulnerabilities. The results will highlight detected issues and guide remedial action, and are a key input for your risk assessment and treatment process.

Once you understand the threats you face, you can make an informed decision when selecting controls. This brings us on to another stage of ISO 27001: the RTP (risk treatment plan).

Penetration testing and the risk treatment plan

Clause 9.1.b of ISO 27001 states that organisations must determine the “methods for monitoring, measurement, analysis and evaluation […] to ensure valid results”.

The objective of many of the controls you select during the risk assessment process will be to minimise the threat.

However, you cannot simply apply a control and assume everything is okay – you need to check to be sure that it is working as intended. The effectiveness of approximately half the controls listed in Annex A of ISO 27001 can only be adequately evaluated through penetration testing.

For example, control set A.11 deals with physical perimeter security such as entry controls and secure areas.

Although penetration testing is usually thought of as a purely digital activity, physical penetration testing can also be conducted. It can reveal weak points in physical security processes that could grant an attacker access to secure systems or areas.

Likewise, control A.12.2.1 deals with malware and other malicious code. Penetration testing highlights the weak points in electronic and physical systems where such code could be introduced.

Perhaps most notably, control A.18.2.3 requires organisations to regularly check information systems for compliance with security implementation standards, including internal requirements for security. This, by its nature, is best done through penetration testing.

Want to know more?

You can find more advice on this topic by downloading Penetration testing and ISO 27001.

This free green paper goes into more detail about how penetration testing and ISO 27001 fit together. It covers the specific points at which penetration testing should be undertaken and explains which of the Standard’s controls can be addressed with security tests.

It also explains how penetration testing can be used to review and continually improve upon your ISMS.

A version of this blog was originally published on 1 February 2017.