ISO 27001 Penetration Testing & Vulnerability Analysis

Helping you achieve & maintain ISO 27001 certification

ISO 27001 & penetration testing

Information security has quickly moved up the agenda within organisations, with both senior management and clients often requiring assurances that security standards have been met. The ISO 27001 certification is an internationally trusted standard which helps organisations establish, implement, maintain, and continually improve their information security management systems (ISMS), ensuring that information assets remain safe and secure.  

Penetration testing and vulnerability analysis is an essential part of ISO 27001 certification and control objective A12.6.1 states that: 

“Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.” 

Our ISO 27001 service has been designed to meet these requirements. But more than that, our service is here to support your security improvement, remediation efforts and provide you with the assurance that your information security is as robust as possible.  

Pentest Ltd is not an accrediting body for ISO 27001, we test in accordance with the scope of your ISMS, as set by your Information Security Manager (ISM) or your independent Certification Body (CB). Our sister company, Xcina Consulting, can offer a full range of services related to ISO 27001 as a BSI Platinum Member. 

How can penetration testing assist?

Our service can be utilised at various stages throughout the ISO 27001 process, helping you assess and remediate information security risks to your organisation. 

Risk Assessment

Penetration testing is designed to identify as many vulnerabilities as possible within a set target and a set timeframe. These can then be analysed and ranked based on your risk criteria.

Risk Treatment

Our testing service can be implemented as part of your risk treatment planning, helping ensure that security controls are effective, and work as designed.  

Ongoing Improvement

What is considered ‘secure’ today can be vulnerable tomorrow. Our services can be deployed on a regular basis, helping you stay on top of these ever-evolving threats. This may include internal auditing of systems, applications, processes and infrastructure covered by the ISMS. Internal auditing is an essential component of the ISO 27001 continuing certification, ensuring compliance (at regular intervals) with both the organisation’s and the International Standard’s requirements.  

What we test

Our ISO 27001 testing is tailored to your exact requirements, ensuring that you are meeting your certification requirements and providing assurances that your security measures are as robust as possible. Typically, our ISO 27001 testing will include:  

Web & Mobile Applications

Our application testing is aligned with industry standards such as OWASP and will look to uncover as many security issues as possible within a target application. The issues we look for will include injection vulnerabilities, security configuration & authentication, logic flaws such as access control & broken authorisation, data transfer & storage, as well as OWASP Top 10 vulnerabilities. 

External & Internal Infrastructure

Our network infrastructure testing is designed to investigate your external networks (your publicly facing networks) and/or your internal networks (the servers, devices and software that make up your internal networks), identifying potential security issues and misconfigurations that could be exploited by malicious outsiders or insider threats.  

Not sure what type of testing you need?

Our team will be happy to discuss your individual requirements and provide a no obligation proposal based on your needs.

Our approach

The security confidence we provide doesn’t come from a one size fits all solution.

Every ISO 27001 test goes through a rigorous process, ensuring that you get the best possible outcome and that you are fully complying with the required standards. Below we outline the key stages our testing goes through:   

1. Client Focused Scoping

We work closely with you to fully understand your ISO 27001 requirements and your desired outcomes, before putting forward a bespoke test proposal.

2. Expert Manual Testing

Testing will commence on the agreed date and our consultants will communicate with you throughout the engagement, to your set requirements.

3. Tailored Reporting

Reporting isn't just a piece of paper, it's an ongoing process. We tailor our reporting to you, whether you need in-test notifications, ticket integration or a bespoke test report.

4. Post-Test Support

Our job doesn't finish on the delivery of a report. We make our consultants available after your test to provide clarification on findings & pass on their wealth of expertise.

5. Fix Check & Documentation

A fix check can be employed, ensuring issues found have been successfully remediated & documentation can be supplied to satisfy ISO 27001 certification requirements.

6. Ongoing Partnership

We see ourselves as trusted advisors and welcome clients contacting us outside of testing, providing honest advice on security issues wherever we can.

Like the sound of our approach?

You can find out more about our test process and why it sets us apart.

Contact us

Want to find out more about our ISO 27001 penetration testing service? Our team are on hand to provide you with the information you need. Please fill out the form below and one of our team will be in touch shortly.