If we closely review the ISO 27001:2013 standard or the draft of the new 27001:2022, we see that the terms penetration testing and vulnerability scanning are not explicitly mentioned either as requirements or as a measure.

Yet ISO 27002 (implementation guide of Annex A to ISO 27001) refers in a number of passages to penetration tests and vulnerability scans as essential elements of an information security management system (ISMS).

What’s new?

We have compiled for you what is actually required in ISO 27002 in comparison to the previous ISO standard from 2013 and the updated version of 2022.

1. ISO 27001:2013 or implementation guide for Annex A to ISO 27002:2013, lists penetration tests and vulnerability scans as implementation “verification of compliance with technical requirements”” (measure 18.2.3). This means: The concept of “compliance reviews” should also include the implementation of penetration tests and vulnerability scans.

2. Also, the so-called “system acceptance tests” (measure 14.2.9) provide a possibility to detect vulnerabilities automatically.

3. The draft of ISO 27001:2022 or the implementation guide for Annex A (ISO 27002:2022), lists penetration tests as an element of “Managing information security in the ICT supply chain” (measure 5.21) and a mehtod to complete a supplier review.

4. In the “Management of technical vulnerabilities” (Measure 8.8), penetration tests and vulnerability scans are specifically addressed as a regular activity to identify technical threats.

The section “Monitoring Activities” (Measure 8.16) refers to penetration tests and vulnerability scans as a supplement to an organisation’s monitoring activities.

6. The Secure Development Lifecycle (Action 8.25) points to penetration testing as an essential component of a secure development cycle.

And in the context of “Security testing in development and acceptance” (action 8.29), the performance of both penetration tests and vulnerability scans is recommended during the development and maintenance of systems.

Our bottom line on the update of ISO 27001:2022

In the new ISO 27001:2022, the performance of penetration tests and vulnerability scans will become even more important than was already the case in the previous version ISO 27001:2013. This is a good opportunity to plan and conduct penetration tests and vulnerability scans professionally. We will be happy to support you with our expertise!

 

More articles

Did you know that numerous ISO standards are largely harmonized with regard to their core structure – chapters 4 to 10? This is true for the international standards for quality management – ISO 9001 –...
Cybercrime only affects the big players? Certainly not! Last week, we witnessed live how an attacker – unfortunately successfully – defrauded the customers of a retailer and stole a considerable amount of money in the...
One of the biggest challenges in setting up and operating information security management systems according to ISO 27001 is the adequate documentation. This is subject to audit reviews and also helps the organization to appropriately...