ISO 27001 Penetration Testing & Vulnerability Analysis

Helping you achieve & maintain ISO 27001 certification.

Penetration testing & ISO 27001

Cybersecurity has quickly moved up the agenda within organisations, with both senior management and clients often requiring assurances that security standards have been met. The ISO 27001 certification is an internationally trusted standard which helps organisations establish, implement, maintain, and continually improve their information security management systems (ISMS), ensuring that information assets remain safe and secure.  

Penetration testing and vulnerability analysis is an essential part of ISO 27001 certification and control objective A12.6.1 states that: 

“Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.” 

Our ISO 27001 service has been designed to meet these requirements. But more than that, our service is here to support your improvement, remediation efforts and provide you with the assurance that your cybersecurity is as robust as possible.  

Pentest Ltd is not an accrediting body for ISO 27001, we test in accordance with the scope of your ISMS, as set by your Information Security Manager (ISM) or your independent Certification Body (CB). Our sister company, Xcina Consulting, can offer a full range of services related to ISO 27001 as a BSI Platinum Member. 

ISO 27001 testing - stages

Our service can be utilised at various stages throughout the ISO 27001 process, helping you assess and remediate cybersecurity risks to your organisation. 

Risk Assessment

Penetration testing is designed to identify as many vulnerabilities as possible within a set target and a set timeframe. These can then be analysed and ranked based on your risk criteria.

Risk Treatment

Our testing service can be implemented as part of your risk treatment planning, helping ensure that security controls are effective, and work as designed.  

Ongoing Improvement

What is considered ‘secure’ today can be vulnerable tomorrow. Our services can be deployed on a regular basis, helping you stay on top of these ever-evolving threats. This may include internal auditing of systems, applications, processes and infrastructure covered by the ISMS. Internal auditing is an essential component of the ISO 27001 continuing certification, ensuring compliance (at regular intervals) with both the organisation’s and the International Standard’s requirements.  

ISO 27001 - What we test

Our ISO 27001 testing is tailored to your exact requirements, ensuring that you are meeting your certification requirements and providing assurances that your security measures are as robust as possible. Typically, our ISO 27001 testing will include:  

Web & Mobile Applications

Our application testing is aligned with industry standards such as OWASP and will look to uncover as many security issues as possible within a target application. The issues we look for will include injection vulnerabilities, security configuration & authentication, logic flaws such as access control & broken authorisation, data transfer & storage, as well as OWASP Top 10 vulnerabilities. 

External & Internal Infrastructure

Our network infrastructure testing is designed to investigate your external networks (your publicly facing networks) and/or your internal networks (the servers, devices and software that make up your internal networks), identifying potential security issues and misconfigurations that could be exploited by malicious outsiders or insider threats.  

Our ISO 27001 testing process

Every ISO 27001 test goes through a rigorous process, ensuring that you get the best possible outcome and that you are fully complying with the required standards. Below we outline the key stages our testing goes through:   

1. Understanding your test requirements

No two organisations, or projects, are the same. We work closely with you to fully understand your ISO 27001 requirements and your desired outcomes, before putting forward a bespoke test proposal.

2. Expert led, manual testing

Our services are conducted manually by our expert consultants and are designed to fully challenge your cybersecurity measures. All our consultants are directly employed by us, meaning we ensure the highest quality of service.

3. Reporting, tailored to your needs

Reporting isn’t just a piece of paper, it’s a process. Our reporting process can be tailored to suit your needs, providing you with timely, relevant, and detailed information, not just on our findings but also our expert remediation advice.

4. Post-test support & documentation

Our job doesn't finish on the delivery of a test report. We make our consultants available after the test to provide remediation support and can provide additional documentation to satisfy ISO 27001 certification requirements.

Like the sound of our ISO 27001 testing approach?

You can find out more about our test process and why it sets us apart.

Find out more about our ISO 27001 penetration test services

Our team are on hand to provide you with the information you need. Please fill out the form below and one of our team will be in touch shortly.