If we closely review the ISO 27001:2013 standard or the draft of the new 27001:2022, we see that the terms penetration testing and vulnerability scanning are not explicitly mentioned either as requirements or as a measure.
Yet ISO 27002 (implementation guide of Annex A to ISO 27001) refers in a number of passages to penetration tests and vulnerability scans as essential elements of an information security management system (ISMS).
We have compiled for you what is actually required in ISO 27002 in comparison to the previous ISO standard from 2013 and the updated version of 2022.
1. ISO 27001:2013 or implementation guide for Annex A to ISO 27002:2013, lists penetration tests and vulnerability scans as implementation “verification of compliance with technical requirements”” (measure 18.2.3). This means: The concept of “compliance reviews” should also include the implementation of penetration tests and vulnerability scans.
2. Also, the so-called “system acceptance tests” (measure 14.2.9) provide a possibility to detect vulnerabilities automatically.
3. The draft of ISO 27001:2022 or the implementation guide for Annex A (ISO 27002:2022), lists penetration tests as an element of “Managing information security in the ICT supply chain” (measure 5.21) and a mehtod to complete a supplier review.
4. In the “Management of technical vulnerabilities” (Measure 8.8), penetration tests and vulnerability scans are specifically addressed as a regular activity to identify technical threats.
The section “Monitoring Activities” (Measure 8.16) refers to penetration tests and vulnerability scans as a supplement to an organisation’s monitoring activities.
6. The Secure Development Lifecycle (Action 8.25) points to penetration testing as an essential component of a secure development cycle.
And in the context of “Security testing in development and acceptance” (action 8.29), the performance of both penetration tests and vulnerability scans is recommended during the development and maintenance of systems.
In the new ISO 27001:2022, the performance of penetration tests and vulnerability scans will become even more important than was already the case in the previous version ISO 27001:2013. This is a good opportunity to plan and conduct penetration tests and vulnerability scans professionally. We will be happy to support you with our expertise!