Regardless of size, sector or location, every organisation is at risk of cyber attack. Penetration testing helps you stay on top of such risks by simulating malicious attacks against your systems to determine the adequacy of your security and its effectiveness to withstand actual threats. The resultant findings provided by a certificated ethical hacker provide you with a reliable basis from which to improve your security controls.
Out of all the security standards that have been prescribed by various bodies and organizations so far, ISO 27001 has been the most popular. ISO 27001 contains ten clauses and 114 controls, this standard has also served as a stepping stone for many organizations to improvise their information security policies and procedures.
To comply with control A.12.6.1 of Annex A of ISO 27001, you are required to prevent the exploitation of technical vulnerabilities. However, it leaves the decision as to how you go about it, up to you? So, do you need to perform the penetration testing? The answer is – not necessarily. This is because, following the vulnerability assessment we will know whether the system is vulnerable so by fixing it, we can avoid the problem altogether.
If you want to be compliant with ISO 27001 you can achieve it by performing only vulnerability assessment and fixing the potential issues. That said, we would highly recommended full penetration testing as best practice. It can help you prioritise issues and it will tell you how vulnerable your systems are.
Penetration testing is conducted annually in order to comply with the ISO 27001 standards.
If you are thinking about carrying out penetration testing to support your ISO 27001 implementation, there are several recognised, reliable methodologies that can be used. A good methodology should follow something similar to the stages outlined below.
Planning: Planning the testing activities, and identifying the information systems and targets to be tested, agreeing the best time to execute the testing activities, and planning of meetings with people involved. The plan should be agreed between the company and the penetration tester.
Information gathering: In this phase the tester gathers as much information as possible about the agreed targets, which is commonly known as “footprinting.”
Threat modeling: This is where the tester develops strategies to attack the client’s systems based on the information gathered.
Vulnerability analysis: Typically, a range of commercial and open source scanning tools are used to identify vulnerabilities. Using multiple tools provided better coverage and means it is less like ly that vulnerabilities will be missed. Which tools are used depends on the agreed targets.
Exploitation: Using exploitation tools and frameworks to determine if any vulnerabilities discovered in the previous phase can be successfully attacked.
Post-exploitation: If we have successfully accessed the target system(s) or we can download or transfer information stored in the database, we may attempt onward attacks on other connected systems on the network or determine if escalate the privileges of compromised user accounts.
Reporting: Reports should be written to include the technical details of the vulnerabilities and how they were exploited together with details of how the vulnerabilities can be fixed. The report should also contain a non-technical management summary.
While every business need is different, it’s recommended that detailed penetration testing is conducted annually in order to comply with the ISO 27001 standards.
As security vulnerabilities are always evolving, it is recommended that more frequent external interim vulnerability assessment are conducted quarterly between the annual more detailed testing or after major changes to the networking infrastructure.
I’m co-founder of Siege Cyber and passionate about Cyber Security, Hiking and Mountain Biking. I’ve been working within Cyber for the past 20 years and most of thoses years as a penetration tester. As a penetration tester I’ve tested some of the biggest companies in Australia before branching out and starting Siege Cyber. Siege Cyber is an Australian owned and operated bespoke cyber security firm focusing on helping our customers secure their organisation and stay up to date with their compliance requirements listed in PCI-DSS, GDPR, ISO 27001 and others.
Happy to chat, happy to help.