Penetration testing and ISO 27001: How do they fit together?

Before you embark on a project to implement an ISO 27001 ISMS (information security management system), you should know that there is a strong connection between your ISMS project and penetration testing.

An ISMS is composed of people, processes and technology. Because information technology assets are often affected by technical vulnerabilities, penetration testing is vital. Unpatched software, insecure applications, and poor security hygiene are just a few examples of vulnerabilities that could undermine or, worse, jeopardize your entire ISMS project.

The solution is penetration testing. With thorough tests and scans, penetration testing analyzes the assets included in the scope of your ISMS, identifying vulnerabilities, linking them to potential threats, and providing guidance on appropriate remedial action. The identified vulnerabilities and threats can then be included in your risk assessment, and the recommended remedial actions will inform your selection of controls.

To conclude, penetration testing is necessary at three points of an ISMS project:

  1. Risk assessment process
  2. Risk treatment plan
  3. Ongoing continual improvement processes

To discover more about how penetration testing fits into your ISO 27001 ISMS project, download the free ‘Penetration Testing and ISO 27001’ green paper >>