ISO 27001 is a robust security framework that comprehensively evaluates and certifies an organization’s security posture. What does it have to say about an organization’s exposure to security vulnerabilities? What requirements are there for ISO 27001 penetration testing?
In this article, I’ll work to answer those questions and more. My goal is to demystify ISO 27001’s requirements for penetration testing. In doing so, I’ll also cover the benefits and challenges of good penetration testing and how those can benefit your ISO 27001 compliance process.
- Does ISO 27001 Require Penetration Testing?
- But Penetration Testing Helps ISO 27001 Compliance
- Is Vulnerability Assessment Enough?
- CISO's Recommendation on Pentesting for ISO 27001
- In Combination With?
- How Much is Penetration Testing for ISO 27001?
- Are there Vendors for ISO 27001 Pentesting Specifically?
- Final Thoughts
- Find the Right Pentest Provider Fast
(NOTE: If you’re considering a penetration test for ISO 27001 compliance, our free tool below matches your firm with top-rated vendors that suit your needs and budget.)
Does ISO 27001 Require Penetration Testing?
No. A lot of online resources triumphantly claim that ISO 27001 requires penetration testing. They cite A.12 Operations Security – A.12.6 Technical Vulnerability Management as the requirement for penetration testing.
I like the cut of their jib. Anything to drive penetration testing, especially linking it to ISO 27001 compliance, is great! Every organization is made exponentially safer by leveraging penetration testing services.
That being said, A.12.6 requires a lot, like an asset inventory, identification of technical vulnerabilities, change control, and vulnerability tracking to name a few. What it does not require is penetration testing.
But Penetration Testing Helps ISO 27001 Compliance
That’s not to say that penetration testing for ISO 27001 is worthless. It’s arguably one of the best ways to find exploitable vulnerabilities in a corporate environment. A pen test starts with identifying vulnerabilities, exploiting security flaws associated with those vulnerabilities, and mimicking everything short of active cyber attacks where possible.
A penetration test well serves Control A.12.16’s requirements. Penetration testing fits a specific need: it provides deep analysis of specific vulnerabilities along an attack chain pathway. It’s a fantastic way to identify technical vulnerabilities and their systemic impacts. It goes beyond a vulnerability assessment, which provides a broad higher-level analysis of vulnerabilities.
Think of it as a great defense-in-depth tool. You’ll identify all your problems with vulnerability scans, but you’ll identify the most serious of those with a penetration test.
Is Vulnerability Assessment Enough?
If you’re looking to tick boxes, though, vulnerability assessments are enough. You don’t strictly need pen testing to meet ISO 27001’s requirements. Automated vulnerability scanning gets you most of the way toward meeting the technical vulnerability management requirements and will more than suffice to meet the letter of the framework.
What vulnerability scanning does is address your security measures. It reveals new and emerging threats that have been observed, identifies if those technical security vulnerabilities exist in your environment, and highlights the associated risks for the potential threats arising from such vulnerabilities. If you’ve performed a comprehensive asset inventory, scanned those assets, and are addressing vulnerabilities based on a predefined risk treatment plan, then that’s what A.12.16 Technical Vulnerability Management requires.
But vulnerability scans fall short of supporting an enterprise security risk management process. Merely identifying that the vulnerabilities evaluated exist in your environment isn’t enough to truly mitigate the threat they pose.
Pen tests provide a security assessment based on vulnerabilities leveraging security techniques to exploit those vulnerabilities. Penetration testing fits the role of focusing your risk assessments on protecting sensitive data. In doing so, pen testing helps prioritize remediation efforts to protect sensitive data and actually mitigate data breaches instead of merely uncovering vulnerabilities.
CISO’s Recommendation on Pentesting for ISO 27001
Here are some guidelines I recommend for managing your pentest engagements with a view to ISO 27001 compliance.
In my opinion, pen testing needs to happen once annually, at a minimum. If you have bespoke web applications, complex systems plus an environment that constantly changes, or very sensitive data, then you’ll want to pen test more frequently.
You can have penetration tests coincide with other internal audit activities, like your ISO certification assessment. I wouldn’t recommend it, given how intensive some penetration testing can be, but if you’re of the mind to hit all your testing at once, then that’s an option.
I prefer to run penetration testing when there are no other major security testing or risk assessment activities. That allows you and your security team to focus on the penetration testing itself and subsequent remediation for identified technical vulnerabilities.
Honestly though, as long as you’re doing it at least once annually or after a major system change you’re largely meeting industry standards.
Penetration tests can help identify issues with poorly coded websites or just general flaws with web applications. They can test the effects of business email compromise–a phishing test mimicking or exploiting your business partners to leverage access–or evaluate encryption flaws on data flows. You can even have penetration testers test your wireless and guest networks to see if wireless devices can be easily compromised.
Think about how much harm can happen if a specific system is compromised. You should perform penetration testing of that system.
There are a variety of different penetration tests. External tests provide a great way to test your perimeter defenses from threat ingress from external IP addresses. Internal testing lets you identify functionality-specific vulnerabilities and robustly test your information security management systems. Both forms of testing can help identify if your SOC or MSSP is alerting you in a timely fashion, and where security issues exist along the attack pathway.
There’s also black, white, and gray box testing. If you have web applications, gray box testing is the way to go. That model wants penetration testers to conduct penetration testing services with some knowledge of application data flows, but not a full understanding of internal architecture.
If you want to most closely model with external penetration tests how an attacker unfamiliar with your environment would exploit and identify vulnerabilities on your perimeter, black box testing is the way to go. White box testing, then, is when penetration testing is conducted with a full understanding of your environmental architecture. In that context, penetration testing satisfies the identification of internal security issues, helps with the risk assessment process for existing information security standards compliance, and evaluates whether or not appropriate measures and information security controls are present in information systems.
In Combination With?
Penetration testing is one of many tools you should employ for your information security management system. If you’re pursuing an ISO 27001 certification, you likely have endpoint and network security in place, operating systems management and hardening, access controls, continuous monitoring, and other security controls.
A penetration test isn’t a magic bullet. It doesn’t suddenly make your environment secure and your information security management system unflappable. It validates security measures implemented in your environment, highlights security objectives to drive continual improvement, and identifies potential gaps in data security.
When you conduct a penetration test, you test your information security control system against a human adversary. You’re focusing on associated risks to your sensitive applications and data stores. It’s a more realistic portrayal of flaws than is presented with vulnerability scanning. It’s also likely going to be less comprehensive. So a vulnerability scan and penetration test are two sides of the same coin, each with a different focus, but both driving continual improvement of your security posture.
How Much is Penetration Testing for ISO 27001?
The cost of penetration testing for ISO 27001 varies depending on the size and scope of the engagement. A small business with a single environment may be able to get their pentest for as little as $5,000. A larger firm with assets across their network, cloud, and web could pay hundreds of thousands of dollars for its pentest.
ISO 27001 penetration testing is going to be more expensive than a standard penetration test if a firm differentiates between the two. Why? One is supporting a certification while the other isn’t. Put differently, simply because of the presence of the ISO 27001 descriptor, some firms may charge more for the pen test. In my experience, there’s no difference between ISO 27001 penetration testing and a run-of-the-mill penetration test.
That’s not to say there isn’t an ISO 27001 risk assessment that also includes a penetration test. In fact, you’re likely to save money by bundling both if you can. That being said, it’s not strictly ISO 27001 penetration testing.
For a comprehensive breakdown on penetration testing costs, see this article.
Are there Vendors for ISO 27001 Pentesting Specifically?
There are vendors that offer ISO 27001 penetration testing. See my note immediately above about ISO 27001 penetration testing. You’re likely paying more for a run-of-the-mill penetration test.
There are also vendors that offer ISO 27001 gap assessments, auditing and certification revies that also offer penetration testing. I wouldn’t say that’s ISO 27001 penetration testing, but it’s penetration testing in the context of other ISO 27001 compliance activities. That may drive some of the focus, but the penetration test itself will be “standard.”
ISO 27001 penetration testing is a misnomer. Firms offer ISO 27001 penetration testing, but it’s unclear to me how that differs from standard penetration testing. ISO 27001 certainly doesn’t require penetration testing on its face, nor does it provide standards for such testing.
That being said, penetration testing is a critical part of any security program and especially one that is ISO 27001 certified. A penetration test evaluates how attack pathways are exploited and highlights potentially subtle issues with security control programs. It drives continual improvement through the thoroughness of the evaluation and the post-mortem recommendations.
If you feel more comfortable contracting for ISO 27001 penetration testing as part of your compliance journey, I definitely don’t want to dissuade you. There’s a lot to be said for feeling comfortable with the security program you’re implementing. My opinion, though, is that it’s an opportunity for charging more for otherwise equivalent services.