Clause 6.1.2.c) of ISO 27001 states that you must identify information security risks within the scope of the information security management system (ISMS).
Penetration testing establishes whether or not the security in place to protect a network or application against external threats is adequate and functioning correctly.
The threats and vulnerabilities identified by penetration testing will form a key input of your risk assessment, while the identified remedial action will inform your selection of controls.
This free green paper describes how penetration testing fits into an ISO 27001 ISMS project.
- The three specific points at which penetration testing should be undertaken
- The importance of penetration testing to ISO 27001 risk assessments
- How penetration testing can demonstrate compliance with half the controls in Annex A
- Penetration testing’s use in the continual improvement of your ISMS