PENETRATION

TESTING & ISO27001

January 2015

Protect

Comply

Thrive

IT Governance Green Paper

SECURITY TESTING
PENETRATION TESTING & ISO27001
What is security/penetration testing?

3. As part of the on-going performance

evaluation and improvement processes:
ensuring that controls continue to work as
required and that new and emerging
threats and vulnerabilities are identified and
dealt with.

Penetration testing (often called pen

testing or security testing) establishes
whether or not the security in place to
protect a network or application against
external threats is adequate and
functioning correctly. It is an essential
component of most ISO27001 and UK
public sector contracts.

Tell me more about penetration testing

and ISO27001.
ISO27001 says that you must identify
information security risks within the scope
of the ISMS (clause 6.1.2.c), which will
necessarily involve identifying
vulnerabilities that threats may exploit.

Why would my company need

penetration testing services?
In a world where attacks on networks and
applications are growing in number at an
exponential rate, and the penalties incurred
by organisations for failing to defend
against such attacks are becoming ever
steeper, effective penetration testing is the
only way of establishing that your networks
and applications are truly secure.
Penetration testing is also an essential
component in any ISO27001 ISMS - from
initial development through to ongoing
maintenance and continual improvement.

The nature of information technology assets

is that they may be open to technical
vulnerabilities that might be exploited by
external attacks. Many of these are simply
automated, indiscriminate attacks that
target identifiable vulnerabilities in
hardware and software, irrespective of the
organisation that has them. These
vulnerabilities include un-patched software,
inadequate passwords, poorly coded
websites and insecure applications.

How does penetration testing fit into

my ISO27001 ISMS project?
There are three specific points in your ISMS
project at which penetration testing has a
significant contribution to make:
1. As part of the risk assessment process:
uncovering vulnerabilities in any Internetfacing IP addresses, web applications, or
internal devices and applications, and
linking them to identifiable threats;
2. As part of the Risk Treatment Plan:
ensuring controls that are implemented do
actually work as designed;

IT Governance Ltd 2015

IT Governance is an accredited member of

CREST the Council of Registered Ethical
Security Testers

Pen-Testing-ISO27001

IT Governance Green Paper

The logical point at which you should carry

out a penetration test is once you have
identified the assets to be included in the
scope of your ISMS. The penetration test
results will identify vulnerabilities in detail,
together with the threat that can exploit
them, and will usually also identify
appropriate remedial action. The identified
threats and vulnerabilities will then form a
key input to your security (penetration)
testing and ISO27001 risk assessment,
while the identified remedial action will
inform your selection of controls.

A.14.2.3 requires that business critical

systems are technically reviewed and tested
after changes to ensure that there are no
adverse impacts;
A.16.1.3 requires that observed or
suspected system security weaknesses are
reported. Penetration testing is a core
component in any effective reporting
process that aligns with the objectives of
this control;
A.18.2.1 requires you to have independent
reviews of the implementation of controls,
which an independent penetration test
delivers;

Tell me more about penetration testing

and the RTP.

A.18.2.3 has, perhaps, the most allembracing requirement for security testing,
in that it requires that all information
systems are regularly checked for
compliance with security implementation
standards.

ISO27001 says, in clause 9.1.b, that you

must determine the "methods for
monitoring, measurement, analysis and
evaluation [] to ensure valid results".
The objective of many of the controls that
you select during the risk assessment
process will be to eliminate the threat.
From a practical point of view, you will want
to remove technical vulnerabilities
completely, not partially. The best way of
testing that you have achieved this
objective is to repeat the penetration tests
that were originally used to identify the
need for the control. If the new control
stands up to the repeat test, you can
confirm that this control is effective.

So, simply identifying and putting in place a

penetration testing contract is the most
straightforward way of demonstrating
compliance with all the above controls.
Tell me more about penetration testing
and CAPA/Continual Improvement.
ISO27001 specifies, at clause 6.1.1, that
you must determine the risks and
opportunities that need to be addressed to
[] prevent, or reduce, undesired effects.
For most organisations, changing technical
risks are as important as any others.
Therefore, a penetration testing service
that, on a regular basis, tests existing
controls and, when necessary, tests
changes to IT and security infrastructure, is
likely to be a fundamental part of any CAPA
process.

The effectiveness of approximately half the

controls listed in ISO27001 Annex A can
only be adequately tested by means of
penetration testing. More importantly, there
is a number of specific Annex A controls
whose objectives are best achieved by the
deployment of penetration testing services:
A.12.2.1 deals with malicious code,
prevention of which can be proven effective
with technical security testing;

In addition, and as described above, a

penetration testing service is likely to be
core to the effectiveness of controls such as
A.12.6.1 and A.18.2.3.

A.12.6.1 requires you to address emerging

technical vulnerabilities in a structured and
systematic way. A key part of achieving this
is to deploy a security testing service to
identify and report on security across all the
assets within the scope of the ISMS;

IT Governance Ltd 2015

Pen-Testing-ISO27001

IT Governance Green Paper

Why should I buy these services from

IT Governance?

testing plans in the light of your security

objectives, taking into account your
business, regulatory and contractual
requirements.

ITG Security Testing is the technical

security division of IT Governance Ltd. IT
Governance has a long and distinguished
history in the provision of information
security expertise and solutions, including
but not exclusive to the PCI DSS and
ISO27001 standards. ITG Security Testing
builds on this foundation to provide
comprehensive penetration t esting services
that test the security of your networks and
applications whilst retaining a broad vision
of your business and security objectives.
This ensures that our penetration testing
services produce results that your business
can use to build on and move forward.

Our professional testing team will then

execute the agreed tests; these tests are
likely to be
a) External tests, focusing on Internetfacing IP addresses, web applications and
other such services; and
b) On-site tests, focusing on the devices
including wireless devices - that make up
your network and the various applications
and operating systems that run on them.
Once we have completed our tests, we
produce a detailed and documented report,
that sets out clearly what we have found,
together with an assessment of its severity,
and we also then recommend appropriate
remediation action.

How does the ITG Security Testing Ltd

service actually work?
We are an accredited member of CREST
and follow best-practice penetration testing
guidelines. Once we have agreed a scope of
work with you, we will then agree detailed

IT Governance Ltd 2015

Pen-Testing-ISO27001

IT Governance Green Paper

Penetration Testing Solutions

Infrastructure (Network) Penetration Test

Designed to provide a complete solution for the efficient and routine testing of your IT
system ensuring that your networks and applications are genuinely secure against todays
automated cyber-attacks.
www.itgovernance.co.uk/shop/p-793.aspx

Web Application Testing Penetration Test

Designed to provide efficient and routine testing of your IT system ensuring that your web
applications are secure against automated cyber-attacks.
http://www.itgovernance.co.uk/shop/p-794.aspx

Employee Phishing Vulnerability Assessment

This service helps you identify potential vulnerabilities amongst your employees and
provides recommendations of how to improve your security.
http://www.itgovernance.co.uk/shop/p-1574-employee-phishing-vulnerabilityassessment.aspx

Wireless Network Penetration Test Level 1

WLAN penetration tests can help you find and fix WLAN weaknesses before attackers take
advantage of them. By regularly performing test s on your wireless network, you can
identify and close any security holes before a hacker can slip through them.
http://www.itgovernance.co.uk/shop/p-1573-wireless-network-penetration-test-level1.aspx

Penetration Testing Books

The Basics of Hacking and Penetration Testing

This guide will show you how to undertake a penetration test or as it is sometimes known
an ethical hack. This book focuses on how to hack one particular target, this allows you to
see how the tools and phases of the pen test relate.
www.itgovernance.co.uk/shop/p-1154.aspx

Penetration Testing - Protecting Networks and Systems

An essential guide to penetration testing and vulnerability assessment, which can be used
as a Certified Penetration Testing Engineer Exam Prep Guide.
www.itgovernance.co.uk/shop/p-1024.aspx

IT Governance Ltd 2015

Pen-Testing-ISO27001

IT Governance Green Paper

IT Governance Solutions
IT Governance source, create and deliver products and services to meet the evolving IT
governance needs of today's organisations, directors, managers and practitioners.
IT Governance is your one-stop-shop for corporate and IT governance information, books,
tools, training and consultancy. Our products and services are unique in that all elements are
designed to work harmoniously together so you can benefit from them individually and also
use different elements to build something bigger and better.
Books
Through our website, www.itgovernance.co.uk, we sell the most sought after publications
covering all areas of corporate and IT governance. We also offer all appropriate standards
documents.
In addition, our publishing team develops a growing collection of titles written to provide
practical advice for staff taking part in IT Governance projects, suitable for all levels of staff
knowledge, responsibility and experience.
Toolkits
Our unique documentation toolkits are designed to help small and medium organisations adapt
quickly and adopt best management practice using pre-written policies, forms and documents.
Visit www.itgovernance.co.uk/free_trial.aspx to view and trial all of our available toolkits.
Training
We offer training courses from staff awareness and foundation courses, through to advanced
programmes for IT Practitioners and Certified Lead Implementers and Auditors.
Our training team organises and runs in-house and public training courses all year round,
covering a growing number of IT governance topics.
Visit www.itgovernance.co.uk/training.aspx for more information.
Through our website, you can also browse and book training courses throughout the UK that
are run by a number of different suppliers.
Consultancy
Our company is an acknowledged world leader in our field. We can use our experienced
consultants, with multi-sector and multi-standard knowledge and experience to help you
accelerate your IT GRC (governance, risk, compliance) projects.
Visit www.itgovernance.co.uk/consulting.aspx for more information.
Software
Our industry-leading software tools, developed with your needs and requirements in mind,
make information security risk management straightforward and affordable for all, enabling
organisations worldwide to be ISO27001-compliant.
Visit www.itgovernance.co.uk/software.aspx for more information.

Contact us:

+ 44 (0) 845 070 1750

www.itgovernance.co.uk

servicecentre@itgovernance.co.uk

IT Governance Ltd 2015

Pen-Testing-ISO27001