This article is written and contributed by penetration testing company Software Secured, a proud Secureframe partner.

ISO 27001 is one of the most popular compliance frameworks worldwide. But between hiring consultants, bringing in auditors, setting up new processes and tooling, and getting your security posture up to par, the all-in cost of compliance adds up quickly. Without a doubt, you’re now starting to wonder what’s really required and how you can make the most of each service. 

What does ISO 27001 require around penetration testing and similar services? And how can opting for penetration testing actually increase the return on investment (ROI) of your ISO 27001 compliance? We’ll unravel requirements and explain the benefits of pen testing below.

What is ISO 27001 compliance?

ISO 27001 is an international compliance framework that proves a company’s ability to protect and securely manage their customer’s sensitive data. The ISO 27001 framework was created by the International Organization for Standardization (ISO) in partnership with the International Electrotechnical Commission (IEC). It offers guidelines for building, maintaining, and improving an information security management system (ISMS) that can safeguard sensitive data.

By achieving ISO 27001 certification, growing organizations can avoid costly data breaches, establish competitive differentiation, improve business infrastructure and processes, and prove credibility in global markets.

The most recently revised version of ISO 27001 launched in 2022, meaning any companies who were certified for the previous version (ISO 27001:2013) have a three-year transition period over to the latest framework. The new version includes 11 new controls for organizations, people, physical assets, and technologies. 

What is penetration testing?

Penetration testing is a manual, comprehensive security testing approach. It involves using ethical hackers (also known as “white hat” hackers) who attempt to break into an application or system, find vulnerabilities, and report on these security gaps — all to help businesses understand and patch any issues before real hackers do.

While penetration tests are typically done as a one-time assessment, companies can also opt for Penetration Testing as a Service (PTaaS) which conducts pentests multiple times per year and offers supplemental services.

How penetration testing helps organizations earn ISO 27001 certification and strengthen their security posture

Penetration testing can not only help your organization meet multiple ISO 27001 requirements — it can also enhance your overall security posture. Let's look at how below.

1. Satisfy Annex A control requirements

As part of earning your ISO 27001 compliance, you will be required to identify risks and vulnerabilities within all assets and information systems that are within your compliance scope.

Some of the controls that penetration testing can help you meet for ISO 27001 include:

• Control Set A.11, which deals with physical perimeter security
• Control A.12.2.1, which deals with malware and malicious code
• Control A.12.6.1, which asks you to build a process for handling technical vulnerabilities quickly as they arise. 
• Control A.13.2.3, regarding the protection of information transmitted digitally (in internal networks and electronic messaging systems)
• Control Set A.14.1, which requires information passing through public networks and in service transactions to be secured.
• Control A.14.2.3, which requires businesses to have systems tested after every significant change to ensure there is no negative impact to the system
• Control A.16.1.3, which deals with reporting observed or suspected system weaknesses in a systematic way
• Control A.18.2.1, which requires an independent review of your security controls
• Control A.18.2.3, which requires businesses to regularly review their practices and controls to ensure compliance against the ISO 27001 framework

2. Understand your full attack surface

All penetration testing efforts begin with a threat modeling simulation that maps out your application’s entire attack surface, which identifies possible entry points for an attack. The threat model can be re-conducted before every penetration test if you’ve had major changes, which aligns to Control A.14.2.3. 

Other security tests such as automated vulnerability scans don’t necessarily consider your application business logic. This means they might miss vulnerabilities in major use cases. On average, automated scanners failed to find 16 vulnerabilities per container tested. When working with a pen tester, they can also explain their rationale on why they took a specific testing approach, but the same can’t be said for automated tooling.

3. Find and remediate vulnerabilities before they’re weaponized

It takes the average team 256 days to patch a critical vulnerability. That’s almost nine months waiting for a hacker to stumble upon an issue that has a high likelihood of being found and extreme consequences for your company. For 66% of small businesses, getting breached forced them to close their doors within 6 months of the incident. 

Alternatively, a penetration test lasts a few weeks. Within each pentest, Software Secured finds an average of 26 vulnerabilities. Finding these vulnerabilities sooner means that your team can get to patching faster, too. 

Once you’ve patched your security vulnerabilities, getting a re-test done will validate whether your fix was sufficient. Then you’ll get an updated certificate to show your auditor and vendors how secure you are. This helps you meet Control A.16.1.3.

4. Avoid security theater and false positives

Security theater describes security measures that make us feel like we’re doing more for our application than we actually are. A good, and unfortunately common, example of security theater is when automated vulnerability scanners mark vulnerabilities as Criticals or Highs, even if that’s not the case. In fact, only 82% of results provided by automated vulnerability scanners are relevant. 

On the other hand, penetration test customers receive a report which includes details on replication and remediation suggestions for all found vulnerabilities. With this information, there’s no possibility for false positives to make it into the final pentest report. 

For an extra layer of certainty, all Software Secured reports go through a quality assurance process where at least one other pen tester tries to recreate every identified vulnerability to validate that the find is true and that the replication steps make sense.

5. Reduce cost of remediation by up to 100x

The cost of patching a security vulnerability in the design stage is approximately $500 per issue. Vulnerabilities found in the testing stage are 15 times more expensive than those found at the earliest stage of the software development life cycle (SDLC). Even worse, vulnerabilities in the maintenance stage are 100x more expensive than those found in the design stage. 

That means the average vulnerability lingering in an old software product could cost your team up to $50,000 per vulnerability to correctly remediate. As systems grow and age, it becomes more expensive and difficult to fix security issues, especially when security gaps are tied into insecure design flaws when the application was originally built. 

Needless to say, the earlier that you test, the lower your cost of remediation is going to be. With service options like Penetration Testing as a Service (PTaaS), you can test your application up to 4x per year. Not only does this have huge cost savings when it comes to remediation efforts and proving your security maturity to clients, but it also helps you meet Control A.18.2.3 — the all-encompassing control related to regularly checking your systems to ensure security and compliance. 

6. Prove your security posture to your auditor

Obviously, you need some way to prove your security posture to your auditor to meet Control A.16.1.3 which asks you to do an independent review of your security controls. You also need to have a way of reporting each security gap according to Control A.14.2.3. 

With penetration testing, you’ll get a systematic way of finding vulnerabilities, recording them (with evidence and steps to replicate), and documentation to prove this all. There are several kinds of documents that you can get from your pentest vendor, including:

• A penetration test report, which has all the details around each vulnerability. This is mostly great for your internal teams.
• A penetration test certificate, which is a higher-level look at your security posture and does not lay out the specifics of each vulnerability. This is great for sharing with your auditor or enterprise vendors. 
• A letter of engagement, which proves your company is planning to conduct a penetration test in the near future. 

7. Reduce your cybersecurity insurance costs

Cybersecurity insurance (also known as cyber liability insurance) is required by many vendors who want to be assured they’ll get paid out if you ever experience a breach or attack. The going rate for cybersecurity insurance today is around $1,500 per year for $1 million in coverage, with a $10,000 deductible. 

Keep in mind that the average cost of a destructive attack was $5.12M in 2022, meaning you’ll need a much higher rate or an account full of cash to payout lawyers, fines, and cover additional operating costs in the event of a breach (assuming the hackers didn’t steal your cash, too). 

Penetration testing can reduce your risk of attack significantly, which in turn makes cybersecurity insurance companies feel better about giving you a lowered rate. Proving to your insurance company that you are meeting your service level agreements (SLAs) and that you have no critical vulnerabilities is a good place to start.

8. Improve your development team’s efficiency

The first time that you work with a penetration testing vendor might not flow so smoothly. At the start, your development team might struggle to see how vulnerabilities are built into the application and why they’re important to fix (instead of producing new code to help the company grow revenue). 

Over time, developers will get insights into the “why” and “how” vulnerabilities occur. When it comes to writing new code, they’ll be able to put this new knowledge to use and, in turn, reduce how many vulnerabilities appear in each of the design, testing, and maintenance phases of the SDLC. 

When a development team knows their security remediation efforts are helping the company with a main business initiative like achieving ISO 27001, it helps build security champions and show all team members how their work directly impacts the company's overall business growth.

How Secureframe + Software Secured can help

When you’re earning compliance, there’s a lot going on at once. And the expenses attached to it are difficult to swallow, especially for a small business that’s just trying to grow its enterprise client list. 

Penetration testing can help you increase the ROI of your ISO 27001 compliance by enabling you to meet at least 9 required controls, improve your team’s overall efficiency, and empower you with the information you need to make your app secure. Learn more about Software Secured's Pentest 360 option, which is most preferred by vendors undergoing ISO 27001 compliance for the first time.

Compliance automation can significantly reduce the other expenses associated with ISO 27001 compliance by making the entire process more efficient. 

Secureframe's security and privacy compliance automation platform streamlines the process of building a compliant ISMS, writing policies, collecting evidence, and managing risk so your team can focus on high-priority projects. And our team of in-house compliance experts saves our customers thousands of dollars on consultant fees and readiness assessments. Request a demo today.