Does ISO 27001 standard require a Pentest?
A legitimate question that often arises is whether the Penetration Test is necessary for compliance with the ISO 27001 standard. To fully understand the answer, it is necessary to clarify what is meant by these terms and to understand the relationship between all the components of the certification.
ISO 27001 standard
A technical standard, also incorrectly called a standard, is a document that describes the specifications that a certain object / body / entity must comply with in order to be certified. In general, a standard describes the requirements of materials, products, services, activities, processes, terminology, methodologies and other aspects concerning the subject of the standard. In very simple words, norms are rules that regulate almost everything by offering constructive and methodological standards.
The ISO 27001 standard (ISO / IEC 27001: 2013) is the international standard that describes the best practices for an ISMS, Information Security Management System. Although following the standard is not mandatory, it is necessary to obtain a certification to guarantee logical, physical and organizational security.
Obtaining an ISO 27001 certification demonstrates that your company is following information security best practices and provides independent and qualified control. Safety is guaranteed to be in line with the international standard and company objectives.
Of great importance for the ISO 27001 standard is Annex A “Control objective and controls”, which contains the 133 controls that the company concerned must comply with.
Vulnerability Assessment and Penetration Test
When performing a Vulnerability Assessment on the network and computer systems, the aim is to identify all technical vulnerabilities present in operating systems and software. Some examples of vulnerabilities can be SQL Injection, XSS, CSRF, weak passwords, etc. The vulnerability detection indicates that there is a recognized security risk due to a problem of some kind. It does not say whether or not it is possible to exploit the vulnerability. To find out, it is necessary to carry out a Penetration Test (or pentest).
To explain the above, imagine that you have a web application that is vulnerable to SQL Injection which could allow an attacker to perform operations on the database. A VA identifies this vulnerability, ie it may be possible to access the database. Following the vulnerability assessment, if a pentest is performed and the vulnerability can be exploited, the risk would be demonstrated.
To comply with control A.12.6.1 of Annex A of the ISO 27001 standard, it is necessary to prevent the exploitation of technical vulnerabilities. However, the decision on how to proceed is up to you. Is it therefore necessary to perform a Pentest? Not necessarily.
After the vulnerability analysis, we could fix and fix the weaknesses and eliminate the risk before performing a pentest. Therefore, for the purposes of compliance with the ISO 27001 standard, the required result can be obtained simply by performing the vulnerability assessment and solving the potential problems that have arisen.
Having said that, we strongly recommend that you carry out a complete Penetration Test to be really sure of compliance with the standard. It can help you prioritize problems and tell you how vulnerable your systems are.
Esistono sul mercato diverse soluzioni per svolgere pentest. Sono software che possono agevolare il lavoro e facilitare il test, ma se azionati da personale inesperto, possono anche creare dei problemi. e’ possibile che la rete ne risulti rallentata e i computer sensibilmente meno reattivi, fino anche a possibili crash di uno o piu’ dei sistemi coinvolti.
Puntando alla certificazione per lo standard ISO 27001, e’ meglio non fare gli eroi e assicurarsi davvero che i controlli siano rispettati. Richiedere l’intervento di professionisti del settore, serve proprio a minimizzare i rischi e assicurarsi che il processo sia svolto in modo impeccabile.
SOD offre un servizio di verifica delle vulnerabilita’ e pentest affidandosi ad hacker etici professionisti. Dopo un primo colloquio, le varie fasi del processo sono eseguite per verificare e testare le potenziali minacce. E’ possibile anche richiedere che la verifica delle vulnerabilita’ sia svolta con regolarita’ per verificare la sicurezza dei sistemi.
There are several solutions on the market to perform pentest. They are software that can facilitate the work and facilitate the test, but if operated by inexperienced personnel, they can also create problems. it is possible that the network will be slowed down and the computers noticeably less reactive, up to possible crashes of one or more of the systems involved.
Aiming for ISO 27001 certification, it’s best not to be heroes and really make sure the controls are respected. Requesting the intervention of professionals in the sector serves precisely to minimize risks and make sure that the process is carried out flawlessly.
SOD offers a vulnerability verification and pentest service relying on professional ethical hackers. After an initial interview, the various stages of the process are carried out to verify and test potential threats. It is also possible to request that the verification of vulnerabilities be carried out regularly to verify the security of the systems.
- Log File Management with the Secure Online Desktop service
- SOAR: what it is and how it can be useful for companies
- Free trial of internet services with Demos
- Next Generation SIEM: where are we?
- Does ISO 27001 standard require a Pentest?
- SIEM in computer science: history
- cPanel and Plesk the best for hosting management
- SIEM software: what it is and how it works
- Backup as a Service (2)
- Cloud Conference (3)
- Cloud CRM (1)
- Cloud Server/VPS (17)
- Conferenza Cloud (2)
- ICT Monitoring (3)
- Log Management (2)
- News (16)
- ownCloud (4)
- Privacy (6)
- Secure Online Desktop (14)
- Security (5)
- Web Hosting (8)
- Neural Networks Help Users Pick More-Secure Passwords
- Cybercriminals Extort Psychotherapy Patients Following Vastaamo Breach
- New Report Links Cybersecurity and Sustainability
- KashmirBlack colpisce i CMS (AL01/20201026/CSIRT-ITA)
- Teach Your Employees Well: How to Spot Smishing & Vishing Scams
- Microsoft's Kubernetes Threat Matrix: Here's What's Missing
- La Settimana Cibernetica del 25 ottobre 2020
- The Story of McAfee: How the Security Giant Arrived at a Second IPO
- US Treasury Sanctions Russian Institution Linked to Triton Malware
- Cybercriminals Could be Coming After Your Coffee
- Cybercriminals Could be Coming After Your Coffee
- Flurry of Warnings Highlight Cyber Threats to US Elections
- CVE-2020-24990 Q-SYS <= 8.2.1 TFTP Directory Traversal
- Unicorn Emulator 1.0.2 is out!
- SEC Consult SA-20201023-0 :: Multiple Vulnerabilities in PubliXone
La maggior parte degli ambienti di hosting utilizzano un'interfaccia intuitiva per aiutare gli utenti a gestire i l… https://t.co/tGd8EwJmU4
Most hosting environments use an intuitive interface to help users manage their web spaces. Two very famous panels… https://t.co/UVLwZOGouC
Una soluzione SIEM in informatica e' uno dei componenti essenziali di un SOC (Security Operation Center). Il suo co… https://t.co/lz8yrVoVrv
Evolving beyond its roots in log file management, today's security information and event management (SIEM) software… https://t.co/jBMv9QKWdF
Evolvendosi al di la' delle sue radici nella gestione dei log file, gli odierni fornitori di software per la gestio… https://t.co/zZjnMSu1i7