Standard ISO 27001 Giacomo Lanzi

Does ISO 27001 standard require a Pentest?

A legitimate question that often arises is whether the Penetration Test is necessary for compliance with the ISO 27001 standard. To fully understand the answer, it is necessary to clarify what is meant by these terms and to understand the relationship between all the components of the certification.

ISO 27001 standard

A technical standard, also incorrectly called a standard, is a document that describes the specifications that a certain object / body / entity must comply with in order to be certified. In general, a standard describes the requirements of materials, products, services, activities, processes, terminology, methodologies and other aspects concerning the subject of the standard. In very simple words, norms are rules that regulate almost everything by offering constructive and methodological standards.

The ISO 27001 standard (ISO / IEC 27001: 2013) is the international standard that describes the best practices for an ISMS, Information Security Management System. Although following the standard is not mandatory, it is necessary to obtain a certification to guarantee logical, physical and organizational security.

Obtaining an ISO 27001 certification demonstrates that your company is following information security best practices and provides independent and qualified control. Safety is guaranteed to be in line with the international standard and company objectives.

Of great importance for the ISO 27001 standard is Annex A “Control objective and controls”, which contains the 133 controls that the company concerned must comply with.

Vulnerability Assessment and Penetration Test

When performing a Vulnerability Assessment on the network and computer systems, the aim is to identify all technical vulnerabilities present in operating systems and software. Some examples of vulnerabilities can be SQL Injection, XSS, CSRF, weak passwords, etc. The vulnerability detection indicates that there is a recognized security risk due to a problem of some kind. It does not say whether or not it is possible to exploit the vulnerability. To find out, it is necessary to carry out a Penetration Test (or pentest).

To explain the above, imagine that you have a web application that is vulnerable to SQL Injection which could allow an attacker to perform operations on the database. A VA identifies this vulnerability, ie it may be possible to access the database. Following the vulnerability assessment, if a pentest is performed and the vulnerability can be exploited, the risk would be demonstrated.

To comply with control A.12.6.1 of Annex A of the ISO 27001 standard, it is necessary to prevent the exploitation of technical vulnerabilities. However, the decision on how to proceed is up to you. Is it therefore necessary to perform a Pentest? Not necessarily.

After the vulnerability analysis, we could fix and fix the weaknesses and eliminate the risk before performing a pentest. Therefore, for the purposes of compliance with the ISO 27001 standard, the required result can be obtained simply by performing the vulnerability assessment and solving the potential problems that have arisen.

Having said that, we strongly recommend that you carry out a complete Penetration Test to be really sure of compliance with the standard. It can help you prioritize problems and tell you how vulnerable your systems are.

Contact professionals

Esistono sul mercato diverse soluzioni per svolgere pentest. Sono software che possono agevolare il lavoro e facilitare il test, ma se azionati da personale inesperto, possono anche creare dei problemi. e’ possibile che la rete ne risulti rallentata e i computer sensibilmente meno reattivi, fino anche a possibili crash di uno o piu’ dei sistemi coinvolti.

Puntando alla certificazione per lo standard ISO 27001, e’ meglio non fare gli eroi e assicurarsi davvero che i controlli siano rispettati. Richiedere l’intervento di professionisti del settore, serve proprio a minimizzare i rischi e assicurarsi che il processo sia svolto in modo impeccabile

SOD offre un servizio di verifica delle vulnerabilita’ e pentest affidandosi ad hacker etici professionisti. Dopo un primo colloquio, le varie fasi del processo sono eseguite per verificare e testare le potenziali minacce. E’ possibile anche richiedere che la verifica delle vulnerabilita’ sia svolta con regolarita’ per verificare la sicurezza dei sistemi. 

Richiedi informazioni specifiche, oppure visita la pagina dedicata. Per ulteriori informazioni sulle nostre certificazioni, e’ possibile visitare l’apposita pagina.

 

There are several solutions on the market to perform pentest. They are software that can facilitate the work and facilitate the test, but if operated by inexperienced personnel, they can also create problems. it is possible that the network will be slowed down and the computers noticeably less reactive, up to possible crashes of one or more of the systems involved.

Aiming for ISO 27001 certification, it’s best not to be heroes and really make sure the controls are respected. Requesting the intervention of professionals in the sector serves precisely to minimize risks and make sure that the process is carried out flawlessly.

SOD offers a vulnerability verification and pentest service relying on professional ethical hackers. After an initial interview, the various stages of the process are carried out to verify and test potential threats. It is also possible to request that the verification of vulnerabilities be carried out regularly to verify the security of the systems.

Request specific information, or visit the dedicated page. For more information on our certifications, you can visit the appropriate page.

[btnsx id=”2931″]

Useful links:

Security: pentest and verification of vulnerabilities

 

Share


RSS

More Articles…

Categories …

Tags

RSS Dark Reading

RSS Full Disclosure

  • Trovent Security Advisory 2203-01 / Micro Focus GroupWise transmits session ID in URL January 31, 2023
    Posted by Stefan Pietsch on Jan 30# Trovent Security Advisory 2203-01 # ##################################### Micro Focus GroupWise transmits session ID in URL ################################################# Overview ######## Advisory ID: TRSA-2203-01 Advisory version: 1.0 Advisory status: Public Advisory URL: https://trovent.io/security-advisory-2203-01 Affected product: Micro Focus GroupWise Affected version: prior to 18.4.2 Vendor: Micro Focus, https://www.microfocus.com...
  • APPLE-SA-2023-01-24-1 tvOS 16.3 January 27, 2023
    Posted by Apple Product Security via Fulldisclosure on Jan 26APPLE-SA-2023-01-24-1 tvOS 16.3 tvOS 16.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213601. AppleMobileFileIntegrity Available for: Apple TV 4K (all models) and Apple TV HD Impact: An app may be able to access user-sensitive data Description: This issue was addressed […]
  • [SYSS-2022-047] Razer Synapse - Local Privilege Escalation January 27, 2023
    Posted by Oliver Schwarz via Fulldisclosure on Jan 26Advisory ID: SYSS-2022-047 Product: Razer Synapse Manufacturer: Razer Inc. Affected Version(s): Versions before 3.7.0830.081906 Tested Version(s): 3.7.0731.072516 Vulnerability Type: Improper Certificate Validation (CWE-295) Risk Level: High Solution Status: Open Manufacturer Notification: 2022-08-02 Solution Date: 2022-09-06 Public Disclosure:...
  • [RT-SA-2022-002] Skyhigh Security Secure Web Gateway: Cross-Site Scripting in Single Sign-On Plugin January 26, 2023
    Posted by RedTeam Pentesting GmbH on Jan 26RedTeam Pentesting identified a vulnerability which allows attackers to craft URLs to any third-party website that result in arbitrary content to be injected into the response when accessed through the Secure Web Gateway. While it is possible to inject arbitrary content types, the primary risk arises from JavaScript […]
  • t2'23: Call For Papers 2023 (Helsinki, Finland) January 24, 2023
    Posted by Tomi Tuominen via Fulldisclosure on Jan 23Call For Papers 2023 Tired of your bosses suspecting conference trips to exotic locations being just a ploy to partake in Security Vacation Club? Prove them wrong by coming to Helsinki, Finland on May 4-5 2023! Guaranteed lack of sunburn, good potential for rain or slush. In […]
  • Re: HNS-2022-01 - HN Security Advisory - Multiple vulnerabilities in Solaris dtprintinfo and libXm/libXpm January 24, 2023
    Posted by Marco Ivaldi on Jan 23Hello again, Just a quick update. Mitre has assigned the following additional CVE IDs: * CVE-2023-24039 - Stack-based buffer overflow in libXm ParseColors * CVE-2023-24040 - Printer name injection and heap memory disclosure We have updated the advisory accordingly: https://github.com/hnsecurity/vulns/blob/main/HNS-2022-01-dtprintinfo.txt Regards, Marco
  • APPLE-SA-2023-01-23-8 Safari 16.3 January 24, 2023
    Posted by Apple Product Security via Fulldisclosure on Jan 23APPLE-SA-2023-01-23-8 Safari 16.3 Safari 16.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213600. WebKit Available for: macOS Big Sur and macOS Monterey Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: The issue was addressed with […]
  • APPLE-SA-2023-01-23-7 watchOS 9.3 January 24, 2023
    Posted by Apple Product Security via Fulldisclosure on Jan 23APPLE-SA-2023-01-23-7 watchOS 9.3 watchOS 9.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213599. AppleMobileFileIntegrity Available for: Apple Watch Series 4 and later Impact: An app may be able to access user-sensitive data Description: This issue was addressed by enabling hardened […]
  • APPLE-SA-2023-01-23-6 macOS Big Sur 11.7.3 January 24, 2023
    Posted by Apple Product Security via Fulldisclosure on Jan 23APPLE-SA-2023-01-23-6 macOS Big Sur 11.7.3 macOS Big Sur 11.7.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213603. AppleMobileFileIntegrity Available for: macOS Big Sur Impact: An app may be able to access user-sensitive data Description: This issue was addressed by enabling […]
  • APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3 January 24, 2023
    Posted by Apple Product Security via Fulldisclosure on Jan 23APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3 macOS Monterey 12.6.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213604. AppleMobileFileIntegrity Available for: macOS Monterey Impact: An app may be able to access user-sensitive data Description: This issue was addressed by enabling hardened runtime. CVE-2023-23499: […]

Customers

Newsletter