Does ISO 27001 standard require a Pentest?
A legitimate question that often arises is whether the Penetration Test is necessary for compliance with the ISO 27001 standard. To fully understand the answer, it is necessary to clarify what is meant by these terms and to understand the relationship between all the components of the certification.
ISO 27001 standard
A technical standard, also incorrectly called a standard, is a document that describes the specifications that a certain object / body / entity must comply with in order to be certified. In general, a standard describes the requirements of materials, products, services, activities, processes, terminology, methodologies and other aspects concerning the subject of the standard. In very simple words, norms are rules that regulate almost everything by offering constructive and methodological standards.
The ISO 27001 standard (ISO / IEC 27001: 2013) is the international standard that describes the best practices for an ISMS, Information Security Management System. Although following the standard is not mandatory, it is necessary to obtain a certification to guarantee logical, physical and organizational security.
Obtaining an ISO 27001 certification demonstrates that your company is following information security best practices and provides independent and qualified control. Safety is guaranteed to be in line with the international standard and company objectives.
Of great importance for the ISO 27001 standard is Annex A “Control objective and controls”, which contains the 133 controls that the company concerned must comply with.
Vulnerability Assessment and Penetration Test
When performing a Vulnerability Assessment on the network and computer systems, the aim is to identify all technical vulnerabilities present in operating systems and software. Some examples of vulnerabilities can be SQL Injection, XSS, CSRF, weak passwords, etc. The vulnerability detection indicates that there is a recognized security risk due to a problem of some kind. It does not say whether or not it is possible to exploit the vulnerability. To find out, it is necessary to carry out a Penetration Test (or pentest).
To explain the above, imagine that you have a web application that is vulnerable to SQL Injection which could allow an attacker to perform operations on the database. A VA identifies this vulnerability, ie it may be possible to access the database. Following the vulnerability assessment, if a pentest is performed and the vulnerability can be exploited, the risk would be demonstrated.
To comply with control A.12.6.1 of Annex A of the ISO 27001 standard, it is necessary to prevent the exploitation of technical vulnerabilities. However, the decision on how to proceed is up to you. Is it therefore necessary to perform a Pentest? Not necessarily.
After the vulnerability analysis, we could fix and fix the weaknesses and eliminate the risk before performing a pentest. Therefore, for the purposes of compliance with the ISO 27001 standard, the required result can be obtained simply by performing the vulnerability assessment and solving the potential problems that have arisen.
Having said that, we strongly recommend that you carry out a complete Penetration Test to be really sure of compliance with the standard. It can help you prioritize problems and tell you how vulnerable your systems are.
Esistono sul mercato diverse soluzioni per svolgere pentest. Sono software che possono agevolare il lavoro e facilitare il test, ma se azionati da personale inesperto, possono anche creare dei problemi. e’ possibile che la rete ne risulti rallentata e i computer sensibilmente meno reattivi, fino anche a possibili crash di uno o piu’ dei sistemi coinvolti.
Puntando alla certificazione per lo standard ISO 27001, e’ meglio non fare gli eroi e assicurarsi davvero che i controlli siano rispettati. Richiedere l’intervento di professionisti del settore, serve proprio a minimizzare i rischi e assicurarsi che il processo sia svolto in modo impeccabile.
SOD offre un servizio di verifica delle vulnerabilita’ e pentest affidandosi ad hacker etici professionisti. Dopo un primo colloquio, le varie fasi del processo sono eseguite per verificare e testare le potenziali minacce. E’ possibile anche richiedere che la verifica delle vulnerabilita’ sia svolta con regolarita’ per verificare la sicurezza dei sistemi.
Richiedi informazioni specifiche, oppure visita la pagina dedicata. Per ulteriori informazioni sulle nostre certificazioni, e’ possibile visitare l’apposita pagina.
There are several solutions on the market to perform pentest. They are software that can facilitate the work and facilitate the test, but if operated by inexperienced personnel, they can also create problems. it is possible that the network will be slowed down and the computers noticeably less reactive, up to possible crashes of one or more of the systems involved.
Aiming for ISO 27001 certification, it’s best not to be heroes and really make sure the controls are respected. Requesting the intervention of professionals in the sector serves precisely to minimize risks and make sure that the process is carried out flawlessly.
SOD offers a vulnerability verification and pentest service relying on professional ethical hackers. After an initial interview, the various stages of the process are carried out to verify and test potential threats. It is also possible to request that the verification of vulnerabilities be carried out regularly to verify the security of the systems.
Request specific information, or visit the dedicated page. For more information on our certifications, you can visit the appropriate page.
Security: pentest and verification of vulnerabilities
- The SOAR benefits: simplifying investigation and response
- Security Code Review: How the service works
- Integration of the automated response: the automations in SOCaaS
- Coordination between CTI and SOC: how to further raise the defenses
- New Cloud Server: redundant internet
- Quality certificate for the SOCaaS of SOD
- Managed Detection and Response: a new preventive approach
- CLUSIT: our collaboration for better services
- Backup as a Service (17)
- Acronis Cloud Backup (11)
- Veeam Cloud Connect (4)
- Cloud Conference (3)
- Cloud CRM (1)
- Cloud Server/VPS (22)
- Conferenza Cloud (4)
- ICT Monitoring (5)
- Log Management (2)
- News (21)
- ownCloud (4)
- Privacy (7)
- Secure Online Desktop (14)
- Security (170)
- Cyber Threat Intelligence (CTI) (6)
- Ethical Phishing (8)
- Penetration Test (5)
- SOCaaS (55)
- Vulnerabilities (84)
- Web Hosting (15)
- Verizon DBIR: Social Engineering Breaches Double, Leading to Spiraling Ransomware Costs June 6, 2023Ransomware continues its runaway growth with median payments reaching $50,000 per incident.
- Researchers Spot a Different Kind of Magecart Card-Skimming Campaign June 6, 2023In addition to injecting a card skimmer into target Magento, WooCommerce, Shopify, and WordPress sites, the the threat actor is also hijacking targeted domains to deliver the malware to other sites.
- Microsoft Preps $425M Payment for LinkedIn GDPR Violations June 6, 2023The company plans on disputing these fines once a final decision is made, but warned shareholders that it set aside the funds to pay it, nonetheless.
- With SEC Rule Changes on the Horizon, Research Reveals Only 14% of CISOs Have Traits Desired for Cyber Expert Board Positions June 6, 2023
- ILTA and Conversant Group Release Cybersecurity Benchmarking Survey of the Legal Industry June 6, 2023Joint research highlights disconnect between legal IT and recommended cybersecurity practices.
- Netskope Intelligent SSE Selected by Transdev to Secure and Connect its Hybrid Workforce June 6, 2023Implementation is part of Transdev's Cloud-First approach to better manage technological obsolescence.
- Filling the Gaps: How to Secure the Future of Hybrid Work June 6, 2023By enhancing remote management and adopting hardware-enforced security, productivity can continue without inviting extra cyber-risk.
- US Aerospace Contractor Hacked With 'PowerDrop' Backdoor June 6, 2023Hackers used a little to do a lot, cracking a high-value target with hardly more than the living-off-the-land tools (PowerShell especially) found on any standard Windows computer.
- ChatGPT Hallucinations Open Developers to Supply Chain Malware Attacks June 6, 2023Attackers could exploit a common AI experience — false recommendations — to spread malicious code via developers that use ChatGPT to create software.
- Red Sift Launches Relevance Detection as GPT-4-Powered Asset Discovery and Classification Solution June 5, 2023New AI feature enhances OnDOMAIN's capabilities to secure unknown vulnerabilities and strengthen network security posture.
- [CVE-2023-29459] FC Red Bull Salzburg App "at.redbullsalzburg.android.AppMode.Default.Splash.SplashActivity" Arbitrary URL Loading June 2, 2023Posted by Julien Ahrens (RCE Security) on Jun 02RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: FC Red Bull Salzburg App Vendor URL: https://play.google.com/store/apps/details?id=laola.redbull Type: Improper Authorization in Handler for Custom URL Scheme [CWE-939] Date found: 2023-04-06 Date published: 2023-06-01 CVSSv3 Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVE: CVE-2023-29459...
- [RT-SA-2022-004] STARFACE: Authentication with Password Hash Possible June 1, 2023Posted by RedTeam Pentesting GmbH on Jun 01Advisory: STARFACE: Authentication with Password Hash Possible RedTeam Pentesting discovered that the web interface of STARFACE as well as its REST API allows authentication using the SHA512 hash of the password instead of the cleartext password. While storing password hashes instead of cleartext passwords in an application's database […]
- CVE-2022-48336 - Buffer Overflow in Widevine Trustlet (PRDiagParseAndStoreData @ 0x5cc8) May 30, 2023Posted by Cyber Intel Security on May 301. INFORMATION -------------- [+] CVE : CVE-2022-48336 [+] Title : Buffer Overflow in Widevine Trustlet (PRDiagParseAndStoreData @ 0x5cc8) [+] Vendor : Google [+] Device : Nexus 6 [+] Affected component : Widevine [+] Publication date : March 2023 [+] Credits : CyberIntel Team 2. AFFECTED VERSIONS -------------------- 5.0.0 […]
- CVE-2022-48335 - Buffer Overflow in Widevine Trustlet (PRDiagVerifyProvisioning @ 0x5f90) May 30, 2023Posted by Cyber Intel Security on May 301. INFORMATION -------------- [+] CVE : CVE-2022-48335 [+] Title : Buffer Overflow in Widevine Trustlet (PRDiagVerifyProvisioning @ 0x5f90) [+] Vendor : Google [+] Device : Nexus 6 [+] Affected component : Widevine [+] Publication date : March 2023 [+] Credits : CyberIntel Team 2. AFFECTED VERSIONS -------------------- 5.0.0 […]
- CVE-2022-48334 - Buffer Overflow in Widevine Trustlet (drm_verify_keys @ 0x7370) May 30, 2023Posted by Cyber Intel Security on May 301. INFORMATION -------------- [+] CVE : CVE-2022-48334 [+] Title : Buffer Overflow in Widevine Trustlet (drm_verify_keys @ 0x7370) [+] Vendor : Google [+] Device : Nexus 6 [+] Affected component : Widevine [+] Publication date : March 2023 [+] Credits : CyberIntel Team 2. AFFECTED VERSIONS -------------------- 5.0.0 […]
- CVE-2022-48333 - Buffer Overflow in Widevine Trustlet (drm_verify_keys @ 0x730c) May 30, 2023Posted by Cyber Intel Security on May 301. INFORMATION -------------- [+] CVE : CVE-2022-48333 [+] Title : Buffer Overflow in Widevine Trustlet (drm_verify_keys @ 0x730c) [+] Vendor : Google [+] Device : Nexus 6 [+] Affected component : Widevine [+] Publication date : March 2023 [+] Credits : CyberIntel Team 2. AFFECTED VERSIONS -------------------- 5.0.0 […]
- CVE-2022-48332 - Buffer Overflow in Widevine Trustlet (drm_save_keys @ 0x6a18) May 30, 2023Posted by Cyber Intel Security on May 301. INFORMATION -------------- [+] CVE : CVE-2022-48332 [+] Title : Buffer Overflow in Widevine Trustlet (drm_save_keys @ 0x6a18) [+] Vendor : Google [+] Device : Nexus 6 [+] Affected component : Widevine [+] Publication date : March 2023 [+] Credits : CyberIntel Team 2. AFFECTED VERSIONS -------------------- 5.0.0 […]
- CVE-2022-48331 - Buffer Overflow in Widevine Trustlet (drm_save_keys @ 0x69b0) May 30, 2023Posted by Cyber Intel Security on May 301. INFORMATION -------------- [+] CVE : CVE-2022-48331 [+] Title : Buffer Overflow in Widevine Trustlet (drm_save_keys @ 0x69b0) [+] Vendor : Google [+] Device : Nexus 6 [+] Affected component : Widevine [+] Publication date : March 2023 [+] Credits : CyberIntel Team 2. AFFECTED VERSIONS -------------------- 5.0.0 […]
- SCHUTZWERK-SA-2022-001: Cross-Site-Scripting in Papaya Medical Viewer May 30, 2023Posted by Lennert Preuth via Fulldisclosure on May 30Title ===== SCHUTZWERK-SA-2022-001: Cross-Site-Scripting in Papaya Medical Viewer Status ====== PUBLISHED Version ======= 1.0 CVE reference ============= CVE-2023-33255 Link ==== https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001/ Text-only version: https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001.txt Further SCHUTZWERK advisories: https://www.schutzwerk.com/blog/tags/advisories/ Affected products/vendor...
- [RT-SA-2023-005] Pydio Cells: Server-Side Request Forgery May 30, 2023Posted by RedTeam Pentesting GmbH on May 30For longer running processes, Pydio Cells allows for the creation of jobs, which are run in the background. The job "remote-download" can be used to cause the backend to send a HTTP GET request to a specified URL and save the response to a new file. The response […]
Estimated reading time: 6 minutes L'impatto crescente delle minacce informatiche, su sistemi operativi privati op… https://t.co/FimxTS4o9G
Estimated reading time: 6 minutes The growing impact of cyber threats, on private or corporate operating systems… https://t.co/y6G6RYA9n1
Tempo di lettura stimato: 6 minuti Today we are talking about the CTI update of our services. Data security is… https://t.co/YAZkn7iFqa
Estimated reading time: 6 minutes Il tema della sicurezza delle informazioni è di grande attualità in questo peri… https://t.co/tfve5Kzr09
Estimated reading time: 6 minutes The issue of information security is very topical in this historical period ch… https://t.co/TP8gvdRcrF
Copyright © 2011 Secure Online Desktop s.r.l. All Rights Reserved.