Standard ISO 27001 Giacomo Lanzi

Does ISO 27001 standard require a Pentest?

A legitimate question that often arises is whether the Penetration Test is necessary for compliance with the ISO 27001 standard. To fully understand the answer, it is necessary to clarify what is meant by these terms and to understand the relationship between all the components of the certification.

ISO 27001 standard

A technical standard, also incorrectly called a standard, is a document that describes the specifications that a certain object / body / entity must comply with in order to be certified. In general, a standard describes the requirements of materials, products, services, activities, processes, terminology, methodologies and other aspects concerning the subject of the standard. In very simple words, norms are rules that regulate almost everything by offering constructive and methodological standards.

The ISO 27001 standard (ISO / IEC 27001: 2013) is the international standard that describes the best practices for an ISMS, Information Security Management System. Although following the standard is not mandatory, it is necessary to obtain a certification to guarantee logical, physical and organizational security.

Obtaining an ISO 27001 certification demonstrates that your company is following information security best practices and provides independent and qualified control. Safety is guaranteed to be in line with the international standard and company objectives.

Of great importance for the ISO 27001 standard is Annex A “Control objective and controls”, which contains the 133 controls that the company concerned must comply with.

Vulnerability Assessment and Penetration Test

When performing a Vulnerability Assessment on the network and computer systems, the aim is to identify all technical vulnerabilities present in operating systems and software. Some examples of vulnerabilities can be SQL Injection, XSS, CSRF, weak passwords, etc. The vulnerability detection indicates that there is a recognized security risk due to a problem of some kind. It does not say whether or not it is possible to exploit the vulnerability. To find out, it is necessary to carry out a Penetration Test (or pentest).

To explain the above, imagine that you have a web application that is vulnerable to SQL Injection which could allow an attacker to perform operations on the database. A VA identifies this vulnerability, ie it may be possible to access the database. Following the vulnerability assessment, if a pentest is performed and the vulnerability can be exploited, the risk would be demonstrated.

To comply with control A.12.6.1 of Annex A of the ISO 27001 standard, it is necessary to prevent the exploitation of technical vulnerabilities. However, the decision on how to proceed is up to you. Is it therefore necessary to perform a Pentest? Not necessarily.

After the vulnerability analysis, we could fix and fix the weaknesses and eliminate the risk before performing a pentest. Therefore, for the purposes of compliance with the ISO 27001 standard, the required result can be obtained simply by performing the vulnerability assessment and solving the potential problems that have arisen.

Having said that, we strongly recommend that you carry out a complete Penetration Test to be really sure of compliance with the standard. It can help you prioritize problems and tell you how vulnerable your systems are.

Contact professionals

Esistono sul mercato diverse soluzioni per svolgere pentest. Sono software che possono agevolare il lavoro e facilitare il test, ma se azionati da personale inesperto, possono anche creare dei problemi. e’ possibile che la rete ne risulti rallentata e i computer sensibilmente meno reattivi, fino anche a possibili crash di uno o piu’ dei sistemi coinvolti.

Puntando alla certificazione per lo standard ISO 27001, e’ meglio non fare gli eroi e assicurarsi davvero che i controlli siano rispettati. Richiedere l’intervento di professionisti del settore, serve proprio a minimizzare i rischi e assicurarsi che il processo sia svolto in modo impeccabile

SOD offre un servizio di verifica delle vulnerabilita’ e pentest affidandosi ad hacker etici professionisti. Dopo un primo colloquio, le varie fasi del processo sono eseguite per verificare e testare le potenziali minacce. E’ possibile anche richiedere che la verifica delle vulnerabilita’ sia svolta con regolarita’ per verificare la sicurezza dei sistemi. 

Richiedi informazioni specifiche, oppure visita la pagina dedicata. Per ulteriori informazioni sulle nostre certificazioni, e’ possibile visitare l’apposita pagina.

 

There are several solutions on the market to perform pentest. They are software that can facilitate the work and facilitate the test, but if operated by inexperienced personnel, they can also create problems. it is possible that the network will be slowed down and the computers noticeably less reactive, up to possible crashes of one or more of the systems involved.

Aiming for ISO 27001 certification, it’s best not to be heroes and really make sure the controls are respected. Requesting the intervention of professionals in the sector serves precisely to minimize risks and make sure that the process is carried out flawlessly.

SOD offers a vulnerability verification and pentest service relying on professional ethical hackers. After an initial interview, the various stages of the process are carried out to verify and test potential threats. It is also possible to request that the verification of vulnerabilities be carried out regularly to verify the security of the systems.

Request specific information, or visit the dedicated page. For more information on our certifications, you can visit the appropriate page.

[btnsx id=”2931″]

Useful links:

Security: pentest and verification of vulnerabilities

 

Share


RSS

More Articles…

Categories …

Tags

RSS darkreading

RSS Full Disclosure

  • CVE-2024-33326 July 11, 2024
    Posted by Rodolfo Tavares via Fulldisclosure on Jul 10=====[ Tempest Security Intelligence - ADV-6/2024 ]========================== LumisXP v15.0.x to v16.1.x Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents]================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ Vulnerability...
  • CVE-2024-33327 July 11, 2024
    Posted by Rodolfo Tavares via Fulldisclosure on Jul 10=====[ Tempest Security Intelligence - ADV-6/2024 ]========================== LumisXP v15.0.x to v16.1.x Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents]================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ Vulnerability...
  • CVE-2024-33328 July 11, 2024
    Posted by Rodolfo Tavares via Fulldisclosure on Jul 10=====[ Tempest Security Intelligence - ADV-6/2024 ]========================== LumisXP v15.0.x to v16.1.x Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents]================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ Vulnerability...
  • CVE-2024-33329 July 11, 2024
    Posted by Rodolfo Tavares via Fulldisclosure on Jul 10=====[ Tempest Security Intelligence - ADV-6/2024 ]========================== LumisXP v15.0.x to v16.1.x Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents]================================================== Overview Detailed description Timeline of disclosure Thanks & Acknowledgements References =====[ Vulnerability Information]============================================= Class:...
  • CyberDanube Security Research 20240703-0 | Authenticated Command Injection in Helmholz Industrial Router REX100 July 4, 2024
    Posted by Thomas Weber via Fulldisclosure on Jul 03CyberDanube Security Research 20240703-0 ------------------------------------------------------------------------------- title| Authenticated Command Injection product| Helmholz Industrial Router REX100 | MBConnectline mbNET.mini vulnerable version|
  • SEC Consult SA-20240627-0 :: Local Privilege Escalation via MSI installer in SoftMaker Office / FreeOffice July 4, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jul 03SEC Consult Vulnerability Lab Security Advisory < 20240627-0 > ======================================================================= title: Local Privilege Escalation via MSI installer product: SoftMaker Office / FreeOffice vulnerable version: SoftMaker Office 2024 / NX before revision 1214 FreeOffice 2021 Revision 1068 FreeOffice 2024 before revision 1215...
  • SEC Consult SA-20240626-0 :: Multiple Vulnerabilities in Siemens Power Automation Products July 4, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jul 03SEC Consult Vulnerability Lab Security Advisory < 20240626-0 > ======================================================================= title: Multiple Vulnerabilities in Power Automation Products product: Siemens CP-8000/CP-8021/CP8-022/CP-8031/CP-8050/SICORE vulnerable version: CPC80 < V16.41 / CPCI85 < V5.30 / OPUPI0 < V5.30 / SICORE < V1.3.0 / CPCX26 < V06.02 for CP-2016...
  • Novel DoS Vulnerability Affecting WebRTC Media Servers July 4, 2024
    Posted by Sandro Gauci via Fulldisclosure on Jul 03Dear Colleagues, We have published a new blog post discussing a novel Denial-of-Service (DoS) vulnerability affecting WebRTC media servers. ## Executive summary (TL;DR) A critical denial-of-service (DoS) vulnerability has been identified in media servers that process WebRTC’s DTLS-SRTP, specifically in their handling of ClientHello messages. This vulnerability […]
  • APPLE-SA-06-25-2024-1 AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8 July 4, 2024
    Posted by Apple Product Security via Fulldisclosure on Jul 03APPLE-SA-06-25-2024-1 AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8 AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT214111. Apple maintains a Security Releases […]
  • 40 vulnerabilities in Toshiba Multi-Function Printers July 4, 2024
    Posted by Pierre Kim on Jul 03No message preview for long message of 338832 bytes.

Customers

Newsletter

{subscription_form_1}