ISO 27001

ISO 27001 can be a very crucial milestone in a growth of a company and the loss of that certification can be damaging to a brand. MainNerve provides the penetration testing necessary to support ISO 27001 certifications and identify threats and vulnerabilities so that the client can continue to remain compliant.

MainNerve has the penetration testing expertise to support ISO 27001 certification and re-certification.

ISO 27001 Information Security Management Systems is a certification standard from the International Standards Organization or ISO. Accredited certification to ISO/IEC 27001 demonstrates to existing and potential customers that an organization has defined and put in place best-practice information security processes. ISO 27001 is the only auditable international standard that defines the requirements of an Information Security Management System (ISMS) which is a set of policies, procedures, processes and systems that manage information risks.

The ISO process requires that companies that are compliant with ISO 27001 to continuously test and asses the ISMS for new vulnerabilities or weaknesses that can emerge from changes to a system’s architecture, upgrading of software, integration of new hardware of other significant changes. Within 27001, Control measure 14.1.1, Information security requirements analysis and specification and control measure A.12.6.1 – Technical vulnerability management are areas where the ISO process recommends anticipating vulnerabilities and testing for them.

While there are no stated requirements for penetration testing in ISO 27001 as mentioned above, there are several control measures where penetration testing will definitely help a company achieve 27001 certifications as well as use “best practices” in implementing the ISMS. Companies that are in the e-commerce space are recommended to use web application penetration testing as a measure to determine whether a web application is protected from fraudulent activity or unauthorized disclosure. It is ascertained that companies that are highly exposed or reliant on the internet would be required to conduct penetration testing by a certified auditor not only due to the risks involved with e-commerce but that companies that are involved with e-commerce must be PCI DSS 3.2 compliant, and that compliance mandates penetration testing.

What does this mean?

If you are ISO 27001 compliant you should have a testing or assessment plan in place that provides for the continuous testing and improvement of your ISMS. This plan should include vulnerability scanning or penetration testing.

How do I become compliant?

As stated, penetration testing for 27001 is not mandated but recommended as part of the sustainment process. While many companies feel that, once attained, ISO certification lasts forever, in fact, a company must show through risk assessments, management reviews and testing that it continues to maintain its ISMS to ISO 27001 standards. Penetration testing would demonstrate a commitment to the ISO 27001 process and would positively contribute to the recertification process.

Penetration Testing: MainNerve is one of the leading penetration testers in the U.S. with hundreds of customers and highly trained, accredited and experienced penetration testers and is one of the few companies that is currently conducting penetration tests internationally. While penetration testing is not mandated under ISO 27001, it is a recommended practice and annual penetration tests and quarterly scans are encouraged to demonstrate “best practice” cybersecurity principles to be used in ISO 27001 certification and recertification to show a commitment to demonstrable cyber security of the company’s ISMS. Penetration testers used by companies to support their ISO certification should be validated, accredited third-party vendors such as MainNerve, however, they are not required to be ISO certified to perform these tests.