I recently had an initial meeting with an interested party – a large medium-sized company from the manufacturing industry. The CIO reported that they had already implemented various IT security measures and now felt it was time to have their effectiveness reviewed by an independent body. The specific trigger was a recent ISO 27001 audit, from which it was recommended that a penetration test be carried out.
So we talked about various options, about the difference between a vulnerability scan and a penetration test – and also about which objectives can be achieved with which type of test. From the course of the conversation, it quickly became clear that what the customer in the form of the CIO wanted – and was prepared to provide in terms of budget – was a vulnerability scan. The sentence “I need something that says pentest” was then uttered, combined with the request that we should take a closer look at the interested party’s IT.
This did not happen. A few days later, I heard from the organization that a subsidiary of had submitted an offer for a “pentest”, which only included the automated scanning of publicly accessible services. And what can I say: the customer placed the order. A “pentest” is now being carried out that is not a pentest – for a lot of money, for which a risk-appropriate and reasonably tailored “real” pentest could certainly have been carried out.
Whether this was due to ignorance, budget constraints, lack of interest or any other reason is irrelevant. The fact is: once again, pseudo-IT security is being practiced here. The organization and its stakeholders are lulled into the deceptive belief that a detailed pentest is being carried out – but the investigation only consists of automated vulnerability scans.
Something else I find interesting: apparently the CIO was very focused on “pleasing” the ISO 27001 auditor and implementing his recommendation. Recommendations are exactly what the word says: something you can do, but don’t have to. Note: The word penetration test does not appear anywhere in ISO 27001. Unfortunately, many auditors still argue that you have to do one. In this case, it was “only” a recommendation – I will report on another practical example where such a test was allegedly required in one of the following articles.
I would be happy to show you how targeted IT security audits can be carried out without dogma, based on risk and with sensible budget allocation – simply make an appointment!
Tags
Share post
Thomas Neeff 
