ISO 27001 Penetration Testing

Identify and address vulnerabilities to comply with ISO 27001 with our industry leading vulnerability scanning and penetration testing services

Get In Touch

We will not share your details with third parties.

Shall we keep you informed on the threat reports & useful guidance? No salesy newsletters. View our privacy policy.

Does ISO 27001 Compliance Require Penetration Testing?

Pen testing and vulnerability analysis is an important part of ISO/IEC 27001 Information Security Management System (ISMS) certification. Annex A.12.6 of ISO 27001 standard refers to A.12.6.1 ‘management of technical vulnerabilities’ and A.12.6.2 ‘restrictions on software installations’. Objective A.12.6.1 states that ‘information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk’.

Our constant support and expert advice makes it a smoother process for your ISO certification process.

ISO27001 penetration testing

What is an ISO 27001 penetration test?

Cyber Security Services

A technical security assessment is aimed at identifying, exploiting and remediating cyber security vulnerabilities. This security assessment is conducted once ISMS scope is identified. 

Our tests are tailored to meet ISO 27001 penetration testing requirements during risk assessment or continual improvement stages. These assessments are conducted by experienced security consultants who have industry leading certifications and sector-specific experience to communicate in technical and functional languages. 

As part of our ISO pen test engagement approach, all deliverables are customised to demonstrate compliance requirements.

Discuss your ISO 27001 Penetration Testing requirements

Common Questions about ISO 27001 Pentesting

If you notice ISO 27001 objective A.12.6.1 , it requires an organisation to implement effective vulnerability management. In order to gain insight into quantify the risks posed by digital assets, a penetration test is recommended where identified vulnerabilities are exploited to assess real risk opposed to a vulnerability scanner risk rating.

A vulnerability scan (also known as automated scan) is useful to identify low level hanging fruits such as missing patches or common vulnerabilities, it does not cover in-depth reviews of an asset because no manual exploitation is carried out. This is often cheaper in terms of pricing.
A penetration test (using manual approach) goes a step further by safely exploiting the identified weaknesses, establishing if they are not just false positives and uncovers flaws such as business logic issues that are otherwise uncovered during an automated test.

ISO 27001 penetration testing frequency is generally recommended as once a year to comply with certification standards. This could change where major infrastructure changes have impacted the environment configuration and altered the state of its systems. With modern technological complexities and evolving threat landscapes, interim vulnerability assessments are often conducted before in-depth annual penetration tests or upon changes to the infrastructure.

ISO 27001 penetration testing pricing takes into account the number of assets in scope. Based on the number of hosts, networks or devices and if they are internal (inside firewall) or internet facing, pricing is calculated based on the time needed. Our custom proposals provide you flexibility and transparent breakdowns of costs and options. Vulnerability scanning prices are significantly cheaper than penetration testing prices. However, it does not provides any depth as pen tests do.

Security testing adds significant value to both compliance projects and organisation security. This is carried out during multiple stages such as part of the risk assessment process to uncover vulnerabilities, as part of the risk treatment plan  to assess the controls are performing as they were meant to and as part of continual improvement process.

A custom written report is prepared based on the findings. This report serves both technical and non-technical audiences with specific sections dedicated to strategic and tactical recommendations, raw/supplemental data, proof of concepts and risk details such as impact, likelihood and risk scorings. This is followed by mitigation advice along with related references to help customer teams with remediation.

Types of ISO 27001 penetration testing services

Based on the scope of ISMS and it’s associated assets, any of the following types of security testing services can be aligned to ISO 27001 ISMS project requirements.

Network Pen Testing

ISO 27001 network security penetration testing services cover a broad spectrum of levels, including single build reviews, segregation reviews to network-wide assessments such as internal infrastructure and company wide assessments such as cyber health check.

NETWORK PEN TESTING

Web Application Pen Testing

Our team of Cybersecurity experts will test and perform security assessments against web applications and web services/APIs in the scope . Other services include code reviews, threat modelling and database assessments.

WEB APP PEN TESTING

Cloud Pen Testing

Most organizations are migrating to cloud due to ease of use and 24 x 7 availability. As an end user of cloud hosted solution, it is your responsibility to ensure that the security of any operating systems and applications hosted in the cloud are continuously maintained and tested.

CLOUD PEN TESTING

Vulnerability Assessments

Vulnerability assessments provide insight into vulnerabilities affecting your internal and external networks.
It helps to identify and quantify the potential risks threatening your environment while minimising internal costs.

VULNERABILITY ASSESSMENT

Managed Security

Our MSS offering involves continuous assurance exercises such as vulnerability scanning and managed services around Open Source Intel, Phishing, External and Internal networks and applications.

MANAGED SECURTIY SERVICES

Mobile Pen Testing

Ensuring the safety and security of user data is paramount to running any mobile applications. Our tailored services are designed to identify potential threats and vulnerabilities before it’s too late.

MOBILE SECURITY TESTING

Benefits of ISO 27001 pentesting & vulnerability analysis

Our Engagement Approach

Customer Business Insight

The very first step remains our quest to gain insight into drivers, business, pain points and relevant nuances. As part of this process, we understand the assets that are part of the scope.

Services Proposal

It is important to gain grips with the reality, therefore, we always stress on walkthroughs or technical documentation of the assets. After asset walkthroughs, a tailored proposal is designed to meet your business’ specific requirements.

Execution and Delivery

Cyphere’s approach to all work involves excellent communication before and during the execution phase. Customer communication medium and frequency are mutually agreed, and relevant parties are kept updated throughout the engagement duration.

Data Analysis & Reporting

Execution phase is followed by data analysis and reporting phase. Cyphere performs analysis on the testing output, evaluates the risk impact and likelihood of exploitation in realistic scenarios before providing action plans to remediate the identified risks. All our reports address business as well as the technical audience with supporting raw data, including mitigation measures at strategic and tactical levels

Debrief & Support

As part of our engagement process, customers schedule a free of charge debrief with management and technical teams. This session involves remediation plan, assessment QA to ensure that customer contacts are up to date in the language they understand.

Your trusted partner in pen testing

Recent Blog Entries

mitre att&ck cloud matrix

Nuts and bolts of MITRE ATT&CK framework

Discover about the basics of mitre att&ck framework, its importance, various models such as cloud matrix, enterprise, mobile devices tactics and techniques.

cyber essentials benefits

Benefits of Cyber Essentials

Cybercriminals constantly target large organisations in the quest to exploit their networks, steal data and extort money. However, it’s well known that SMEs are also …

cyber essentials controls

Cyber Essentials Scheme: All you need to know

Cyber Essentials and Cyber Essentials Plus are government-backed accreditation for all businesses. It is a certification scheme that requires businesses to meet certain standards and …

social engineering attack lifecycle steps

Common Types of IT Security Risks: How to Prevent them?

Many different types of IT security risks can affect a business. It is essential to know how cyber risk works and what you need to protect the company from them.

What are cis sub controls

CIS Critical Security Controls v8 vs CIS 20 Controls – 2021

CIS critical security controls v8 presents a more consolidated approach that replaced SANS Top 20 or CIS Controls. Learn more about similarities and differences in this article.

network segmentation example

Network segmentation: Importance & Best Practices

Learn how network segmentation best practices help your organisation to maximise cybersecurity and boost your layered defense in depth approach.

linkedin test job preview

An easy recipe for identity fraud – Post a dream job LinkedIn advert on behalf of almost any employer

Learn how LinkedIn job posting feature can be attacked by threat actors to carry out identify fraud campaigns

Session hijacking attack method

Broken authentication and session management

Broken authentication and session management are two of the important areas to ensure security of a web application or an API. Read more about the basics and threats.

different types of security testing

Top 5 Security Testing Types with Tools & Examples

The cybersecurity industry has numerous application security testing types and tools for every business and technology, including operational technology testing, information technology security testing, and much more.

rdp exploited

RDP Security Risks and Encryption Explained

Remote Desktop Protocol or RDP for short is a proprietary tool developed by Microsoft as a communication protocol. Learn more about RDP security, encryption and vulnerabilities.

BOOK A CALL