What is a penetration test?
Cyber-attacks are a risk for any business, regardless of their size, industry or location. Penetration testing simulates a malicious attack to determine if your internet security is adequate, functioning properly, and can actually withstand external threats.
Why should organisations do a penetration test?
Penetration testing is an essential component of any ISO/IEC 27001 Information Security Management System (ISMS), from initial development to ongoing maintenance and continuous improvement.
ISO/IEC 27001 control objective A12.6 (Technical Vulnerability Management) states that ‘the timely information about the technical vulnerabilities of the information systems used should be obtained, the assessment of the organization’s exposure to such security vulnerabilities, and the appropriate measures taken against the relevant risk’.
The nature of information technology assets means that they can have many technical vulnerabilities that could be exploited by outside attacks. Automatic and random attacks target identifiable vulnerabilities in hardware and software, regardless of the organization they own. These vulnerabilities include patched software, insufficient passwords, poorly coded websites, and unsafe applications.
The logical point at which you should run a penetration test is after you have identified the assets to be included in the ISMS scope. Penetration test results identify vulnerabilities in detail, along with the threat that could exploit them, and often also determines appropriate remedial actions. Identified threats and vulnerabilities will be an important input to your risk assessment, and the detected corrective action will inform your control choice.
How does penetration testing fit into my ISO/IEC 27001 project?
There are certain points in your ISMS project where penetration testing makes a significant contribution:
- As part of the risk assessment process, uncovering vulnerabilities in Internet-facing IP addresses, web applications or internal devices and applications and linking them to identifiable threats.
- As part of the risk treatment plan, ensuring that the controls implemented are actually working as designed.
- As part of ongoing continuous improvement processes, ensuring that controls continue to function as needed and that new and emerging threats and vulnerabilities are identified and addressed.