How to use penetration testing for ISO 27001 A.12.6.1

A famous historical hacker, Kevin Mitnick, said on one occasion: “I get hired by companies to hack into their systems and break into their physical facilities to find security holes. Our success rate is 100%; we have always found a hole.”

So, probably the question now on your mind is – could that be avoided? Mr. Mitnick would say no, but one should not give up because of that. Something could be done to minimize (or eliminate) the possibility of breaking into the IT environment. Basically, if you know what your vulnerabilities are before your attackers do, you will be more protected, so let me explain this in more detail.

Vulnerability analysis vs. penetration testing

Basically, when you perform a vulnerability analysis on your information systems, you can identify all technical vulnerabilities related to them (e.g., SQL Injection, XSS, CSRF, weak passwords, etc.). But, for their exploitation, you need to perform a penetration test.

Let me explain the above. Imagine that you have a system that is vulnerable to SQL Injection (method to perform operations in a database).Vulnerability analysis will identify that vulnerability. After vulnerability analysis, the penetration testing can be performed and the vulnerability can be exploited. This means that you can access the vulnerable system and you can have access to, or even modify or delete, confidential information (information in the database about clients, providers, etc.).

On the other hand, in accordance with control A.12.6.1 of Annex A of ISO 27001:2013, you need to prevent the exploitation of technical vulnerabilities. How to do it? With the vulnerability analysis or with the penetration testing?Or, back to the previous example: for the prevention of the exploitation of the vulnerability related to the system, do we need to perform the penetration testing? The answer is – not necessarily, because after the vulnerability analysis we know that the system is vulnerable, and by fixing it we can avoid the SQL Injection vulnerability. So, the next step, exploiting it, is not necessary.

So, if you want to comply with ISO 27001:2013 you can perform only the vulnerability analysis, although the penetration testing is a best practice, and is highly recommended if you want to know how vulnerable your systems are (in our example, we want to know what information could be seen by an unauthorized person).

Phases of the penetration testing

If you are thinking about performing penetration testing to improve your ISO 27001 implementation, there are many utilities and platforms you can use to automate it, but my recommendation is that you follow these phases:

  • Planning: Planning of the activities, as well as the identification of the information systems and targets involved, the best time for the execution of the activities, and planning of meetings with people involved. It is also important to create an agreement between the company and the penetration tester.
  • Information gathering: We need to gather as much information as possible, which is commonly known as “footprinting.” Two common methods to perform this footprinting are “OSINT” (find, select, obtain, acquire, and analyze information from public resources) and “social engineering” (obtain information through questions to people involved in the scenario of the penetration test).
  • Threat modeling: At this point, we have lots of information about our targets, so that’s the moment to develop strategies to attack the client’s systems. For example, imagine a call center where we have determined in the previous phases that all critical information about customers is stored in an internal database. So, we need to attack this database.
  • Vulnerability analysis: The question here is, how do we attack the database of the call center? Let’s search vulnerabilities, meaning – we need to identify all vulnerabilities related to our target. And, as we have seen in the previous section, this step can be mandatory in ISO 27001.
  • Exploitation: Exploiting means “using something to one’s own advantage,” so we need to exploit the vulnerability identified, to gain control of the vulnerable system.
  • Post-exploitation: Once we have obtained control of the system, we can access it, and we can download or transfer the confidential information about customers. Or, maybe we can try to access other internal resources from an internal system.
  • Reporting: Finally, we need to develop a report with the results. The recommendation here is to make two different parts: a technical summary and an executive summary (for people with no technical knowledge).



Figure – Phases of the penetration testing

By the way, are you interested in the vulnerability analysis? This article might be very interesting for you: How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1.

Another important question is how to define the type of penetration testing. Basically, there are two main types:

  • Black box: You do not have information about the company.
  • White box: The organization gives you information and can also give you access to the systems and internal resources.

There is another possibility that is a mix of black box and white box: the gray box (the organization can give you some information about their systems).

To be or not to be the first

There are many people (hackers and experts of any type) all over the world constantly scanning the Internet searching for vulnerable systems, and it is impressive the amount of vulnerable equipment that you can find with only a search engine. So, do not wait –perform a vulnerability analysis, and if you want to be more secure – perform a penetration testing. And, remember that the implementation of ISO 27001 will help you to perform vulnerability analysis (mandatory) and penetration testing (best practice) in your organization, which means that top management will be much quieter.

To learn how to become compliant with every clause and control from Annex A and get all the required policies and procedures for controls and clauses, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Antonio Jose Segovia
Antonio Jose Segovia
Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.