A guide to ISO 27001 penetration testing

A summary of ISO 27001 compliance

ISO 27001 is a compliance standard that any organisation working with information security should be certified in. 

With ISO 27001, organisations may get guidance on how to store their data and safeguard it. Collectively, it provides a basis for establishing an Information Security Management System (ISMS) throughout an organisation — a system that safeguards data against loss, unauthorised access, and disclosure while also ensuring that all relevant regulations are met.

What is the role of Penetration testing in ISO 27001?

The ISO 27001 standard does not directly reference pentesting and may lead you to believe that pentesting is not an important part of complying with ISO 27001. However, this is not the case. According to Annex A of ISO 27001, A.12.6.1 states that:

"Information concerning technical vulnerabilities of used information systems should be collected in a timely manner, the organisation's exposure to such vulnerabilities shall be analysed, and suitable actions shall be implemented to mitigate the risk associated with such exposure."

In line with this statement, only a pentest in addition to a vulnerability assessment will provide such a comprehensive security gap analysis. You cannot depend on just a vulnerability scan to evaluate your organisation's susceptibility to a particular issue. This requires manual pentesting. Therefore, ISO 27001 pentesting is essential.

What is Penetration testing?

Pentesting is a method of evaluating cybersecurity, which seeks out, tries to exploit, and provides insight into potential flaws in the system. Pentesting, according to ISO 2700, can be performed at any step of an ISMS project, from the initial risk assessment through post-implementation reviews to ongoing process improvements.

During a pentest, a cyberattack is designed and simulated to locate and exploit weak points in an ISMS. It may be used to assess the safety of a network, website, or application. In the pentest, security professionals attempt to get into your network using exploits. The aim of this is to determine how easy it would be to exploit a vulnerability, how much harm might be done as a result of that weakness, and what it would take to remedy it.

What are the types of Penetration testing?

Before starting out on your pentest or selecting a provider to conduct it, you need to be familiar with the types of available pentests — the reason being that each of the following types vary in focus, depth and duration.

• Internal/External infrastructure penetration testing

This includes an examination of the firewalls, hosts, and networking devices (routers, switches, etc.) both on-premises and in the cloud. Pentesting can be viewed as either an internal test, which targets resources within the company's own network, or an external test, which aims at externally accessible resources. Information on the size of the network subnet and the number of sites, as well as the total number of internal and external IP addresses to be checked, are all necessary for properly scoping a test.

• Wireless penetration testing

WLAN (wireless local area network) and other wireless protocols like Bluetooth, ZigBee, and Z-Wave are the focus of this type of test, which is conducted on a company's internal network. The tool aids in the detection of rogue access points, encryption flaws, and WPA exploits. The number of wireless and guest networks, physical locations, and unique SSIDs to be tested are all factors that will determine the scope of an engagement.

• Web application testing

The process of examining websites and bespoke web applications for security problems in their coding, design, and development that might be used for harmful purposes. It's crucial to know how many applications need to be tested, as well as how many pages, forms, and other inputs will need to be evaluated, before contacting a testing body.

• Mobile application testing

Apps for iOS and Android are put through rigorous testing for security flaws in areas like authentication, authorization, data leaking, and session handling. The quantity of API calls, the necessity for jailbreaking, and the need for root detection are all factors that must be known by providers before a test can be scoped.

• Build and configuration review

Mistakes in web and application servers, routers, and firewalls can be found by reviewing network builds and configurations. Information on the total number of builds, OS versions, and application servers that will need to be tested is vital for setting a scope for this sort of project.

• Social engineering

This is an assessment of how well your organisation is equipped to identify and counteract phishing emails. Learn how targeted assaults like phishing, spear phishing, and Business Email Compromise (BEC) may reveal vulnerabilities with pinpoint accuracy.

Why is Penetration testing needed for ISO 27001 compliance?

There is a standard set of safety laws that govern all sectors of the economy. These rules are necessary for the continued safety of enterprises and the protection of their customers and clients. Security vulnerability monitoring and correction procedures are addressed in practically all of these standards, including ISO 27001. The responsibility is on businesses to show they have kept a close eye on security flaws, calculated their severity, and implemented adequate fixes. This goal can be accomplished with the use of pentesting.

After completing a pentest, security analysts document the flaws they found, the potential harm they may create, and their advice for fixing the problems. After the issues have been fixed, fresh scans are taken. The pentesting company provides a pentest certificate if a subsequent scan reveals that all vulnerabilities have been fixed.

Remember that this certificate does not prove that organisations comply with any security standard. It is simply a promise that your system remains free of flaws at a certain time, which benefits both you and your customers.

To pass the audit for regulatory compliance, which covers much more than just vulnerability management, you will need the report and certificate from the pentest. Although obtaining a pentest certificate is an important step toward compliance, it is not sufficient on its own.

What are the stages of Penetration testing?

There are a number of automated applications and platforms available if you decide to do pentesting to enhance your ISO 27001 implementation; however, the steps outlined below would be ideal to ensure a successful pentest:

Step 1: Planning

The selection of appropriate times for carrying out activities, holding meetings with the relevant parties and the identification of relevant information systems and goals are all included in activity planning. Additionally, it is crucial to formalise a contract between your organisation and the pentesting agency.

Step 2: Information gathering

Taking a comprehensive "footprint" of a situation is essential. The terms "social engineering" (obtain information through questions to people involved in the scenario of the penetration test) and "OSINT" (operate, choose, collect, gather, and analyse information from public resources) describe two typical approaches to this kind of footprinting.

Step 3: Threat modelling

Now that you have adequate information about the target, it is time to create a “breach plan”. This is the simulated attack that your system will undergo. Find a database where all your critical information is stored and formulate a test for that system.

Step 4: Vulnerability analysis

To attack your target, you need to assess all its vulnerabilities. This step can be mandatory in ISO 27001, so identify any gaps in the targeted system. At this stage, you will answer the question of how to attack the targeted system.

Step 5: Exploitation

At this stage, you will exploit the vulnerability found in stage 4 to take control of the targeted system. Analysts who will perform the pentest will use the vulnerability to their advantage.

Step 6: Post exploitation

Once the target system has been accessed, all information stored in it can be downloaded and transferred to a separate database. You can even go a step further to access other internal resources from the internal system.

Step 7: Reporting

The final stage is where the analysts will develop a technical and non-technical report along with their recommendation on how issues on your system can be fixed.

Who would need to conduct Penetration testing?

Several security standards have been developed to cater to the unique requirements of different market segments. Manual pentesting may be necessary in various situations. However, you should submit your application for a compliance audit only after you have conducted a pentest.

The following are some industries along with their relevant compliance standard that would require pentesting:

• Healthcare facilities (HIPPA)

Although penetration testing is not expressly mandated by the Health Insurance Portability and Accountability Act, its requirement is implied by the law's risk analysis standards.To conduct a good risk analysis, you need to analyse the security controls, settings, patches, etc. To identify and eliminate any potential vulnerabilities, a penetration test should be performed.

Commonly, healthcare facilities lack basic cybersecurity measures. So, a compliance law like HIPAA is crucial. Healthcare institutions may rest easier knowing their data is secure thanks to the peace of mind provided by penetration testing that helps them meet HIPAA requirements.

• Payment processing industry (PCI-DSS)

For the purpose of protecting credit card transactions, the Payment Card Industry Data Security Standard was established. Compliance with the PCI-DSS is highly desirable because of the credibility and trust it conveys.

An organisation seeking PCI-DSS compliance must still undertake a PCI scan, even if PCI-DSS itself does not mandate pentesting. A level 1 company is expected to have both an internal audit and a security scan performed by a vendor with the appropriate level of approval. To apply for PCI-DSS compliance, you must first ensure that there are no security flaws, therefore a pentest is always a good idea.

• Service providers (SOC 2)

Service Organisation Control 2 was developed to address security, availability, processing integrity, confidentiality, and privacy.

Practically all service providers, including those that interact with data in the course of delivering a service, will need to comply with the SOC2 standard. Audits, monitoring of network assets, notifications for abnormalities, and actionable forensics are all necessary to meet the standards of SOC 2.

Due to its emphasis on identifying and addressing vulnerabilities, pentesting is an integral aspect of the SOC 2 compliance framework.

What are the benefits of Penetration testing?

Now that you have an idea of who needs to conduct pentesting and why it is important, take a look at some of the common benefits that organisations achieve through pentesting.

• Reveals vulnerabilities — During penetration testing, your network and/or system settings are examined for any gaps that may allow hackers access. Experts will examine not just your network security, but also the activities and routines of your employees that might lead to data breaches and harmful infiltration. Finding out what kinds of software and hardware upgrades are necessary, as well as what kinds of policy changes may strengthen security overall, is made possible by analysing a report detailing potential flaws.

• Tests your cyber defence capabilities — Your ability to recognise assaults and react suitably and promptly is crucial. Once an intrusion is discovered, investigations must be launched to identify the perpetrators and stop the attack. They might be genuine malicious attacks or security specialists looking to evaluate your defences. If there is room for improvement in your defences, the test results will indicate this.

• Ensures business continuity — A reliable network, constant lines of communication, and ready access to materials are essential to maintaining smooth operations around the clock. Your organisation may suffer losses with each interruption. The results of a pentest can help you prevent disruptions in service or access to your systems by identifying vulnerabilities. A pentest is similar to a business continuity audit in this regard.

• Shows real risks — Hacking attempts are made by pentesters in an effort to exploit flaws. As a result, you get a glimpse of ‘real life' consequences of an attack. They will simulate the threat of unauthorised access to critical information and ability to issue OS instructions. The difficulties in actually exploiting the weakness, however, may lead them to argue that it is not as dangerous as it first appears. That type of evaluation requires the expertise of a specialist.

• Have a third party expert opinion — Management may be slow to respond or take action when an issue is raised from within the organisation. Your management may be more persuaded by a report from an outside expert, which might result in a greater financial commitment.

Conclusion

In some circumstances, legal requirements do not necessitate compliance with information security standards. Nevertheless, doing so would be beneficial to your organisation’s stability, longevity, and reputation. Acquiring ISO 27001 certification and conducting pentests not only establishes your organisation as a safe haven on a global scale, but also guarantees that you have addressed every security flaw in your infrastructure.

Need more information on ISO 27001 penetration testing? Schedule a call with one of our experts.