Послуги з імітації атак хакерів для вдосконалення процесів кібербезпеки.
/ BLOG
Does ISO/IEC 27001 require penetration testing (pentest)?
What is ISO/IEC 27001?
ISO/IEC 27001 is the leading international standard used by organisations of all sizes and industries to develop, implement, maintain and continuously improve an information security management system.
Compliance with ISO/IEC 27001 is a sign of information security integration into all entity processes.
Does ISO/IEC 27001 require penetration testing (pentest)?
Penetration testing is not a requirement for compliance with ISO/IEC 27001. At the same time, global best practices recommend that pentesting be carried out as part of a number of information security management processes, such as corporate risk management, vulnerability management, security assessment of suppliers and partners, secure software development and testing, internal audit, and continuous improvement. ISO/IEC 27002:2022, which details procedures for implementing the security controls specified in Annex A to ISO/IEC 27001:2022, emphasises the importance of this practice in several key components of information security.
In particular, Annex A to ISO/IEC 27001:2022 refers to control A.5.21 ‘Managing Information Security in the Information and Communication Technology (ICT) Supply Chain’. The standard requires an entity to check that the products and services provided by ICT suppliers meet the stated security requirements. A pentest is seen as an ICT supplier verification tool that helps assess risks and can protect an entity from possible security breaches by third parties. To assess the security risks associated with suppliers and partners, one should review the results of penetration testing that suppliers are advised to perform on their infrastructure. Thus, third parties will not become a weak link in the process of building an entity’s information security management system. If service providers are interested in the reliability of their own security systems, and assess and eliminate vulnerabilities in a timely manner, this goes a long way to improving the security of their partner organisations.
Control 8.16, ‘Monitoring Activities’, considers pentesting as a way to extend the security monitoring of networks, systems and applications in an entity to establish a baseline of system behaviour and condition. Establishing a baseline condition provides a starting point for further measurement and comparison of the effectiveness of the security measures implemented. This important step helps to identify and respond to abnormalities that may indicate potential security incidents or threats.
The controls in ISO/IEC 27001:2022 related to secure development and testing, namely A.8.25 ‘Secure Development Life Cycle’ and A.8.29 ‘Security Testing in Development and Acceptance’, emphasise that the principles of secure code writing should be applied during software development, and security testing processes should be defined and implemented at all stages of the software development life cycle. To implement control A.8.29, ISO/IEC 27002:2022 recommends conducting penetration testing, along with code review and regression testing, to identify vulnerabilities at the code and design levels. In turn, control A.8.25 defines a pentest as one of the prerequisites for secure development, which includes building architecture, programmes, services and systems with a focus on their security. Integrating penetration testing into the development process will ensure that security considerations are incorporated into your software products from the very beginning of their life cycle.
Recommendations for the implementation of control A.8.8 ‘Management of Technical Vulnerabilities’, defined in ISO/IEC 27002:2022, state the following: “Information about technical vulnerabilities of information systems in use should be obtained, the organisation’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.”
Implementation of the vulnerability management process involves planned and periodic penetration tests with the participation of specialists or vulnerability assessments, including automated ones, which help to identify vulnerabilities that exist in systems for further assessment and action. Although in this case pentesting is considered an alternative to the vulnerability assessment process (e.g. automated scanning), it allows for a much larger assessment of system flaws and vulnerabilities. Using comprehensive penetration testing methodologies, approaches and specialised tools, a team of specialists can usually identify significantly more weaknesses in systems than automated scanning, in particular by mimicking the conditions of real cyber threats more closely during the testing procedure. By proactively addressing these vulnerabilities in programmes, networks and systems, an entity can significantly reduce the risk of a possible cyberattack and its consequences, preventing data breaches and reputational damage.
The combination of penetration testing and vulnerability scanning is in line with global best practices in information security and significantly improves the efficiency of the vulnerability management process, providing a comprehensive approach to identifying, assessing and eliminating potential threats.
Consequently, conducting specialised penetration testing in accordance with ISO/IEC 27001 supports the implementation of these controls by helping to ensure compliance with vulnerability management, activity monitoring, vendor vetting and security testing in development.
Does ISO/IEC 27001 require penetration testing (pentest)?
Penetration testing is not a requirement for compliance with ISO/IEC 27001. At the same time, global best practices recommend that pentesting be carried out as part of a number of information security management processes, such as corporate risk management, vulnerability management, security assessment of suppliers and partners, secure software development and testing, internal audit, and continuous improvement. ISO/IEC 27002:2022, which details procedures for implementing the security controls specified in Annex A to ISO/IEC 27001:2022, emphasises the importance of this practice in several key components of information security.
In particular, Annex A to ISO/IEC 27001:2022 refers to control A.5.21 ‘Managing Information Security in the Information and Communication Technology (ICT) Supply Chain’. The standard requires an entity to check that the products and services provided by ICT suppliers meet the stated security requirements. A pentest is seen as an ICT supplier verification tool that helps assess risks and can protect an entity from possible security breaches by third parties. To assess the security risks associated with suppliers and partners, one should review the results of penetration testing that suppliers are advised to perform on their infrastructure. Thus, third parties will not become a weak link in the process of building an entity’s information security management system. If service providers are interested in the reliability of their own security systems, and assess and eliminate vulnerabilities in a timely manner, this goes a long way to improving the security of their partner organisations.
Control 8.16, ‘Monitoring Activities’, considers pentesting as a way to extend the security monitoring of networks, systems and applications in an entity to establish a baseline of system behaviour and condition. Establishing a baseline condition provides a starting point for further measurement and comparison of the effectiveness of the security measures implemented. This important step helps to identify and respond to abnormalities that may indicate potential security incidents or threats.
The controls in ISO/IEC 27001:2022 related to secure development and testing, namely A.8.25 ‘Secure Development Life Cycle’ and A.8.29 ‘Security Testing in Development and Acceptance’, emphasise that the principles of secure code writing should be applied during software development, and security testing processes should be defined and implemented at all stages of the software development life cycle. To implement control A.8.29, ISO/IEC 27002:2022 recommends conducting penetration testing, along with code review and regression testing, to identify vulnerabilities at the code and design levels. In turn, control A.8.25 defines a pentest as one of the prerequisites for secure development, which includes building architecture, programmes, services and systems with a focus on their security. Integrating penetration testing into the development process will ensure that security considerations are incorporated into your software products from the very beginning of their life cycle.
Recommendations for the implementation of control A.8.8 ‘Management of Technical Vulnerabilities’, defined in ISO/IEC 27002:2022, state the following: “Information about technical vulnerabilities of information systems in use should be obtained, the organisation’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.”
Implementation of the vulnerability management process involves planned and periodic penetration tests with the participation of specialists or vulnerability assessments, including automated ones, which help to identify vulnerabilities that exist in systems for further assessment and action. Although in this case pentesting is considered an alternative to the vulnerability assessment process (e.g. automated scanning), it allows for a much larger assessment of system flaws and vulnerabilities. Using comprehensive penetration testing methodologies, approaches and specialised tools, a team of specialists can usually identify significantly more weaknesses in systems than automated scanning, in particular by mimicking the conditions of real cyber threats more closely during the testing procedure. By proactively addressing these vulnerabilities in programmes, networks and systems, an entity can significantly reduce the risk of a possible cyberattack and its consequences, preventing data breaches and reputational damage.
The combination of penetration testing and vulnerability scanning is in line with global best practices in information security and significantly improves the efficiency of the vulnerability management process, providing a comprehensive approach to identifying, assessing and eliminating potential threats.
Consequently, conducting specialised penetration testing in accordance with ISO/IEC 27001 supports the implementation of these controls by helping to ensure compliance with vulnerability management, activity monitoring, vendor vetting and security testing in development.
Does ISO/IEC 27001 require penetration testing (pentest)?
Penetration testing is not a requirement for compliance with ISO/IEC 27001. At the same time, global best practices recommend that pentesting be carried out as part of a number of information security management processes, such as corporate risk management, vulnerability management, security assessment of suppliers and partners, secure software development and testing, internal audit, and continuous improvement. ISO/IEC 27002:2022, which details procedures for implementing the security controls specified in Annex A to ISO/IEC 27001:2022, emphasises the importance of this practice in several key components of information security.
In particular, Annex A to ISO/IEC 27001:2022 refers to control A.5.21 ‘Managing Information Security in the Information and Communication Technology (ICT) Supply Chain’. The standard requires an entity to check that the products and services provided by ICT suppliers meet the stated security requirements. A pentest is seen as an ICT supplier verification tool that helps assess risks and can protect an entity from possible security breaches by third parties. To assess the security risks associated with suppliers and partners, one should review the results of penetration testing that suppliers are advised to perform on their infrastructure. Thus, third parties will not become a weak link in the process of building an entity’s information security management system. If service providers are interested in the reliability of their own security systems, and assess and eliminate vulnerabilities in a timely manner, this goes a long way to improving the security of their partner organisations.
Control 8.16, ‘Monitoring Activities’, considers pentesting as a way to extend the security monitoring of networks, systems and applications in an entity to establish a baseline of system behaviour and condition. Establishing a baseline condition provides a starting point for further measurement and comparison of the effectiveness of the security measures implemented. This important step helps to identify and respond to abnormalities that may indicate potential security incidents or threats.
The controls in ISO/IEC 27001:2022 related to secure development and testing, namely A.8.25 ‘Secure Development Life Cycle’ and A.8.29 ‘Security Testing in Development and Acceptance’, emphasise that the principles of secure code writing should be applied during software development, and security testing processes should be defined and implemented at all stages of the software development life cycle. To implement control A.8.29, ISO/IEC 27002:2022 recommends conducting penetration testing, along with code review and regression testing, to identify vulnerabilities at the code and design levels. In turn, control A.8.25 defines a pentest as one of the prerequisites for secure development, which includes building architecture, programmes, services and systems with a focus on their security. Integrating penetration testing into the development process will ensure that security considerations are incorporated into your software products from the very beginning of their life cycle.
Recommendations for the implementation of control A.8.8 ‘Management of Technical Vulnerabilities’, defined in ISO/IEC 27002:2022, state the following: “Information about technical vulnerabilities of information systems in use should be obtained, the organisation’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.”
Implementation of the vulnerability management process involves planned and periodic penetration tests with the participation of specialists or vulnerability assessments, including automated ones, which help to identify vulnerabilities that exist in systems for further assessment and action. Although in this case pentesting is considered an alternative to the vulnerability assessment process (e.g. automated scanning), it allows for a much larger assessment of system flaws and vulnerabilities. Using comprehensive penetration testing methodologies, approaches and specialised tools, a team of specialists can usually identify significantly more weaknesses in systems than automated scanning, in particular by mimicking the conditions of real cyber threats more closely during the testing procedure. By proactively addressing these vulnerabilities in programmes, networks and systems, an entity can significantly reduce the risk of a possible cyberattack and its consequences, preventing data breaches and reputational damage.
The combination of penetration testing and vulnerability scanning is in line with global best practices in information security and significantly improves the efficiency of the vulnerability management process, providing a comprehensive approach to identifying, assessing and eliminating potential threats.
Consequently, conducting specialised penetration testing in accordance with ISO/IEC 27001 supports the implementation of these controls by helping to ensure compliance with vulnerability management, activity monitoring, vendor vetting and security testing in development.