Penetration Testing in ISO/IEC 27001
Penetration Testing is part of the control objectives of ISO27001:2005 (BS7799-2:2002), Technical Compliance Checking (A.15.2.2, ISO17799:2005 15.2.2):
“Information systems should be regularly checked for compliance with security implementation standards.”
“Compliance checking also covers, for example, penetration testing and vulnerability assessments, which might be carried out by independent experts specifically contracted for this purpose. This can be useful in detecting vulnerabilities in the system and for checking how effective the controls are in preventing unauthorized access due to these vulnerabilities.”
“Penetration testing and vulnerability assessments provide a snapshot of a system in a specific state at a specific time. The snapshot is limited to those portions of the system actually tested during the penetration attempt(s). Penetration testing and vulnerability assessments are not a substitute for risk assessment.”
Objectives
Penetration testing is a security assessment technique. The ultimate goal of any security assessment discipline must be to enhance the effectiveness and efficiency of an organisation’s computer systems controls, through an increased awareness of its vulnerabilities.
However, penetration testing must also serve business users by providing a picture of technology risk. This implies that risk eradication is neither achievable nor desirable.
Therefore, the objectives of a penetration test must also help to ascertain the level of risk to the business to facilitate intelligent risk management decisions, rather than to foster fear of vulnerabilities.
A typical Bellua Penetration Test covers the entire spectrum of information warfare, including:
- profiling and trust analysis;
- war dialling;
- war driving (wireless drive-by hacking);
- social engineering;
- Internet hacking (online banking, payment gateway, e-commerce, mail server, domain name server…);
- internal hacking (Head Office, Operations, Development, Core, DRC, etc);
Value To The Organisation
Penetration Testing can provide convincing evidence of real threat exposures, through the proof of access.
Such evidence is far more compelling, even if it is only limited to negative findings and can help yield a more rapid indication of threat exposures, allowing senior management to take proactive steps to improve overall security.
Security penetration testing measures and demonstrates risk rather can help determine:
- How can an attacker hurt my business;
- Who is most capable of hurting me in the near future;
- How fast and by what means can an attacker reach me;
- How did Bellua’s team get to a specific system (situation awareness);
- What has happened recently (pattern analysis of current operations);
- How vulnerable an organisation is to the latest hacking threats and techniques;
- How changes in technology can affect the real risk profile of business systems;
- How well the organisation’s security policy has been enforced and,
- Whether security procedures are being followed.
Bellua Penetration Test makes your infrastructure and business processes stronger and more viable for execution in an hostile environment such as the Internet.
The interactive process between systems, experiments and Bellua penetration testing ensures that only robust systems are introduced in the organisation.
Finally, our penetration test lets you visualise your entire network of trust, including roles and responsibilities of third-parties.