Does ISO 27001 Require Penetration Testing?

We are often asked whether vulnerability assessment or penetration testing are required for ISO 27001 compliance. To fully understand the answer, it’s a good idea to first explain what is meant by these terms.

Vulnerability Assessment and Penetration Testing

When you perform a vulnerability analysis on your network and information systems, you aim to identify all the technical vulnerabilities that are present in the operating systems and application software. Examples of these vulnerabilities could include SQL Injection, XSS, CSRF, weak passwords, etc.). Finding vulnerabilities tells you that there is a recognised security risk due to an issue within the code. It does not tell you whether it is possible to exploit the vulnerability or not. To discover that, you would need to carry out a penetration test.

To explain the above, imagine that you have a web application that is vulnerable to SQL Injection which could allow an attacker to perform operations in the database. A vulnerability assessment will identify that vulnerability i.e. that it MAY be possible to access the data. Following the vulnerability assessment, if a penetration testing is performed and the vulnerability can be exploited, this would prove that the risk exists. This means that you know that an attacker can access the vulnerable system can have access to, or even modify or delete, confidential information. This could be sensitive information about clients, finances, personal details or whatever is stored in the databased.

To comply with control A.12.6.1 of Annex A of ISO 27001:2013, you are required to prevent the exploitation of technical vulnerabilities. However, it leaves the decision as to how you go about it, up to you? So, do you need to perform the penetration testing? The answer is – not necessarily. This is because, following the vulnerability assessment we will know whether the system is vulnerable so by fixing it, we can avoid the problem altogether. Using the example above, fixing the SQL Injection vulnerability, perhaps by upgrading the web server, would remove the problem. This means that, exploiting it, is not necessary.

If you want to be compliant with ISO 27001 you can achieve it by performing only vulnerability assessment and fixing the potential issues. That said, we would highly recommended full penetration testing as best practice. It can help you prioritise issues and it will tell you how vulnerable your systems are. In the above example, it would be useful to know what information could be accessed by an attacker.

Phases of Penetration Testing

If you are thinking about carrying out penetration testing to support your ISO 27001 implementation, there are several recognised, reliable methodologies that can be used. A good methodology should follow something similar to the stages outlined below.
Planning: Planning the testing activities, and identifying the information systems and targets to be tested, agreeing the best time to execute the testing activities, and planning of meetings with people involved. The plan should be agreed between the company and the penetration tester.

Information gathering: In this phase the tester gathers as much information as possible about the agreed targets, which is commonly known as “footprinting.”

Threat modeling: This is where the tester develops strategies to attack the client’s systems based on the information gathered.

Vulnerability analysis: Typically, a range of commercial and open source scanning tools are used to identify vulnerabilities. Using multiple tools provided better coverage and means it is less like ly that vulnerabilities will be missed. Which tools are used depends on the agreed targets.

Exploitation: Using exploitation tools and frameworks to determine if any vulnerabilities discovered in the previous phase can be successfully attacked.

Post-exploitation: If we have successfully accessed the target system(s) or we can download or transfer information stored in the database, we may attempt onward attacks on other connected systems on the network or determine if escalate the privileges of compromised user accounts.

Reporting: Reports should be written to include the technical details of the vulnerabilities and how they were exploited together with details of how the vulnerabilities can be fixed. The report should also contain a non-technical management summary.

Krypsys has expertise in vulnerability analysis, penetration testing and ISO 27001. We carry out testing and consulting assignments for companies of all types and sizes throughout the UK. If you have any questions about ISO 27001 or the security testing of systems, networks and web sites, please feel free to contact us.

Leave a comment