ISO 27001 penetration testing & vulnerability analysis

Helping you achieve & maintain ISO 27001 certification

ISO 27001 & our testing services

Information security has quickly moved up the agenda within organisations, with both senior management and clients often requiring assurances that security standards have been met. The ISO 27001 certification is an internationally trusted standard which helps organisations establish, implement, maintain, and continually improve their information security management systems (ISMS), ensuring that information assets remain safe and secure.  

Penetration testing and vulnerability analysis is an essential part of ISO 27001 certification and control objective A12.6.1 states that: 

“Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.” 

Our ISO 27001 service has been designed to meet these requirements. But more than that, our service is here to support your security improvement, remediation efforts and provide you with the assurance that your information security is as robust as possible.  

Pentest Ltd is not an accrediting body for ISO 27001, we test in accordance with the scope of your ISMS, as set by your Information Security Manager (ISM) or your independent Certification Body (CB). Our sister company, Xcina Consulting, can offer a full range of services related to ISO 27001 as a BSI Platinum Member. 

Find out more about Pentest

Find out more about Pentest, the support we offer and
the reasons clients choose us.

Where does testing fit into the ISO 27001 process?

Our service can be utilised at various stages throughout the ISO 27001 process, helping you assess and remediate information security risks to your organisation. 

Risk Asssement

Penetration testing is designed to identify as many vulnerabilities as possible within a set target and a set timeframe. These can then be analysed and ranked based on your risk criteria. 

Risk Treatment

Our testing service can be implemented as part of your risk treatment planning, helping ensure that security controls are effective, and work as designed.  

Ongoing Improvement

What is considered ‘secure’ today can be vulnerable tomorrow. Our services can be deployed on a regular basis, helping you stay on top of these ever-evolving threats. This may include internal auditing of systems, applications, processes and infrastructure covered by the ISMS. Internal auditing is an essential component of the ISO 27001 continuing certification, ensuring compliance (at regular intervals) with both the organisation’s and the International Standard’s requirements.  

What we test

Our ISO 27001 testing is tailored to your exact requirements, ensuring that you are meeting your certification requirements and providing assurances that your security measures are as robust as possible. Typically, our ISO 27001 testing will include:  

Web & Mobile Applications

Our application testing is aligned with industry standards such as OWASP and will look to uncover as many security issues as possible within a target application. The issues we look for will include injection vulnerabilities, security configuration & authentication, logic flaws such as access control & broken authorisation, data transfer & storage, as well as OWASP Top 10 vulnerabilities. 

External & Internal Infrastructure

Our network infrastructure testing is designed to investigate your external networks (your publicly facing networks) and/or your internal networks (the servers, devices and software that make up your internal networks), identifying potential security issues and misconfigurations that could be exploited by malicious outsiders or insider threats.  

Not sure what testing you need?

Our team will be happy to discuss your individual requirements and provide a no obligation proposal based on your needs.

Our ISO 27001 testing process

Every ISO 27001 test goes through a rigorous process, ensuring that you get the best possible outcome and that you are fully complying with the required standards. Below we outline the key stages our testing goes through:   

1. Scoping

Your dedicated account manager (AM) will work with you to fully understand your organisation, your security objectives and the systems under review. The AM will then work with the assigned Pentest consultants & your stakeholders to ensure testing meets your needs.

2. Proposal

A bespoke proposal of work will be drawn up based on the information gathered from the earlier stage. This will outline the planned scope of work, our approach, the set rules of engagement and any preparations needed to allow us to start testing.

3. Testing

Testing will begin on the agreed date and our consultants will communicate with you throughout the engagement, to your set requirements. All testing is conducted manually, and our consultants will look to identify as many issues as possible in the time allotted.

4. Reporting

A comprehensive, quality assured report will be delivered following the test. Our report will provide both a technical and managerial overview of testing, a comprehensive analysis of the vulnerabilities found and our detailed remediation advice.

5. Post-test support & retest

Our job does not finish with the delivery of the report and our consultants will be available after the test to support your remediation efforts. Once remediation efforts have been completed, we will conduct a fix-check ensuring the issues have been mitigated.

6. Evidence of testing

We can provide further evidence of testing, outlining the initial test engagement and reporting upon any retesting phases that were undertaken. These documents are designed to provide the detailed evidence needed to satisfy ISO 27001 certification requirements.

Why choose Pentest?

Our test process isn’t the only reason clients choose to work with us. Find out more about Pentest, our ethos and the support we offer our clients.

Contact us

Want to find out more about our ISO 27001 penetration testing service? Our team are on hand to provide you with the information you need. Please fill out the form below and one of our team will be in touch shortly.