MainNerve has the penetration testing expertise to support ISO 27001 certification and re-certification.
ISO 27001 Information Security Management Systems is a certification standard from the International Standards Organization or ISO. Accredited certification to ISO/IEC 27001 demonstrates to existing and potential customers that an organization has defined and put in place best-practice information security processes. ISO 27001 is the only auditable international standard that defines the requirements of an Information Security Management System (ISMS) which is a set of policies, procedures, processes and systems that manage information risks.
The ISO process requires that companies that are compliant with ISO 27001 to continuously test and asses the ISMS for new vulnerabilities or weaknesses that can emerge from changes to a system’s architecture, upgrading of software, integration of new hardware of other significant changes. Within 27001, Control measure 14.1.1, Information security requirements analysis and specification and control measure A.12.6.1 – Technical vulnerability management are areas where the ISO process recommends anticipating vulnerabilities and testing for them.
While there are no stated requirements for penetration testing in ISO 27001 as mentioned above, there are several control measures where penetration testing will definitely help a company achieve 27001 certifications as well as use “best practices” in implementing the ISMS. Companies that are in the e-commerce space are recommended to use web application penetration testing as a measure to determine whether a web application is protected from fraudulent activity or unauthorized disclosure. It is ascertained that companies that are highly exposed or reliant on the internet would be required to conduct penetration testing by a certified auditor not only due to the risks involved with e-commerce but that companies that are involved with e-commerce must be PCI DSS 3.2 compliant, and that compliance mandates penetration testing.
What does this mean?
If you are ISO 27001 compliant you should have a testing or assessment plan in place that provides for the continuous testing and improvement of your ISMS. This plan should include vulnerability scanning or penetration testing.
How do I become compliant?
As stated, penetration testing for 27001 is not mandated but recommended as part of the sustainment process. While many companies feel that, once attained, ISO certification lasts forever, in fact, a company must show through risk assessments, management reviews and testing that it continues to maintain its ISMS to ISO 27001 standards. Penetration testing would demonstrate a commitment to the ISO 27001 process and would positively contribute to the recertification process.