The importance of pen testing as part of your ISO or Cyber Essentials journey
No one wants to fail their application for ISO 27001 accreditation, and for some the possibility is unthinkable, to the point where they are reluctant to kickstart the process.
It’s easy to be daunted by the potential hours and financial investment that any security certification journey will take to complete. But these stakes should not be a cause for a delay, only a good motivator for getting everything right first time.
Where pen tests and ISO accreditation meet
The emergence of hybrid working has increased the risk of cyber threats on businesses and their customers. This, met with increased scrutiny about how organisations manage personal data, has caused the number of people seeking out ISO 27001 certification to accelerate rapidly.
Having ISO accreditation proves you have great data security, but it can also double up as great promotional material. Just as pen tests can give you a competitive advantage, ISO accreditation can sway the attention of companies seeking ISO accredited partners and software. This is particularly common with public contracts, where ISO 27001 certification is often a necessity.
ISO compliance demonstrates continual monitoring and awareness of security best practices. And although pen tests are not explicitly referenced to gain accreditation, it’s heavily implied.
Another similar accreditation is Cyber Essentials. Slightly different from ISO, it provides cover to a wider audience, when ISO may be better suited to software or finance companies where security risks are of greater importance.
Even so, Cyber Essentials still suggests organisations need a thorough pen test to qualify - a critical step to implement if you want to pass with flying colours first time.
Part one: self assessment (Cyber Essentials only)
An in-depth self assessment will determine how ready your company is for certification. You’ll be questioned on whether you have the right information security objectives and how willing and able your management team is to contribute to the effectiveness of these objectives.
Most importantly, you’ll be asked what steps you take to mitigate, eradicate or manage risks, and whether you have a programme in place to ensure your information security measures and processes are constantly monitored and improved.
We recommend completing a pen test before you even begin the initial self assessment. You can see where vulnerabilities lie and what loose ends need to be tied up, so you can minimise delays and maximise your chances of success out of the gate. To learn more, check out our thoughts on what pen tests are right for your business and how much they cost.
Part two: gathering evidence
Gathering evidence is the harder part, and is also the stage where most organisations throw in the towel. This part of the journey requires a huge chunk of people’s time, from the admin hours needed to assemble the documentation, to the investment needed to implement the software, hardware, and essential tests.
Here’s where we would suggest getting a second pen test. The first you completed before the self-assessment will highlight the areas that you need to address, and once you’ve taken action, the second pen test will provide some of the evidence that certification requires.
Our CREST-certified testers will reassess for any vulnerabilities, and provided your organisation took all the actions recommended in the initial test, it’s highly likely you’ll be provided with a Datavax cover letter to show that your security could not be breached by the simulated threat our ethical hackers provide, and this can be used as evidence to strengthen your application.
Once all your evidence has been compiled, an auditor will review your documentation and assess the success of your information security management.
The benefits of perfecting your processes the first time round
The board of your company may have postponed the first step of your ISO or Cyber Essentials journey, but after a pen test you can set off with confidence and quickly make strides towards accreditation.
Make the security certification journey as painless as possible and ensure a first time pass with an independent pen test carried out by a CREST-certified tester. As we’re independent, we won’t try to sell you solutions after your test, we’ll only provide a detailed report with recommendations that you can address internally or procure according to your own budget.
When your organisation comes to renew your ISO 27001 or Cyber Essentials accreditation three years later, we’ll be ready to test your defences again. You’l be staying on top of the latest threats and if any vulnerabilities emerged in the three years since you were issued ISO certification, we’ll be able to find them so your accreditation remains uninterrupted.
To learn more about how Datavax can help you along the security certification journey, get in touch.
What pen tests are right for your business and how much will they cost?
When it comes to pen tests, there is a huge volume of choice out there. Whether it’s a web app or external, automated or manual, independent or non-independent, the scope can lead to great variations in cost.
Quality pen testers may push your budget a bit more, but this cost is to cover them meticulously looking through all the nooks and crannies of your IT infrastructure to determine what could be easily exploited.
Starting from around the £2000 mark, a pen test is a lot more affordable than most people think. And this is versus a potential fine of 2% of your annual revenue for trying to cut corners.
The price of getting it wrong
The right pen test could’ve saved UK-based Boomerang Video from a hefty £60K fine. The Information Commissioner's Office (ICO) slapped them with the penalty after an investigation revealed they had failed to carry out regular pen tests which could have detected a website vulnerability. The result? A cyberattack leaking over 26,000 user’s card details.
British Airways took an even bigger hit back in 2020. A data breach which resulted in the leaking of 400,000 customers personal and financial details went undetected for months due to an absence of robust security measures. The ICO weren’t happy, issuing a painful £20m fine to the airline, which at the time was their biggest to date.
Companies of all sizes need to stay hot on their vulnerability assessments. Any internal system updates or introduction of new third parties requires ongoing testing. And if you’re expanding, every new employee represents an increased risk. You may have tested for one thing the first time around, but not considered novel threats or tactics as your business evolves.
Remote and hybrid working has brought in an extra challenge to businesses. Phishing attacks are on the rise, with many opportunistic cybercriminals taking advantage of the stress and disruption the pandemic brought to many digital workspaces. Most employees had an overnight change to working from home, forgoing basic cyber and phishing awareness.
So when considering which pen test to go for, consider: do you need every employee tested from top to bottom, or just new starters? If you’ve never carried out a phishing test for example, we’d recommend testing the entire employee cohort.
The advantages of getting it right
The pros of staying on top of your cyber hygiene are obvious. Taking the time and effort to protect all of the data moving around your business every day maintains your representation as a trusted party, and saves you from coughing up an eye-watering sum if anything were to go wrong.
There’s a whole range of options out there, from cheaper AI-automated tests that don’t always give you full security coverage, to robust tests carried out by CREST-certified testers. Ultimately, getting a trusted company who understands all the nuances of different types of testing is essential.
Which type of test is right for you?
An external pen test tries to find flaws in your data security by trying to break in from the outside. By probing your perimeter defences, this type of test can identify flaws such as weak passwords, unpatched software and misconfigurations. By contrast, an internal pen test assumes some degree of network access, and simulates the actions a hacker or disgruntled employee might take from inside a network.
Often holding personal data like credit card or personal information, web and mobile applications are highly prized targets for cyberattacks. A web app pen test will look for weak points that could compromise your websites or web applications, including CRM, extranets or internal programs. Mobile app pen tests detect any susceptibilities that may have been left within the application, such as default credentials or encryption keys.
An automated test, sometimes referred to as a vulnerability scan, can never be as thorough as a manual test. It could overlook vulnerabilities of low risk, even though risks of any size should be scrutinised.
That’s why we’ve chosen to stick to a red team approach, which makes use of powerful automated tools but also a senior tester and ethical hacking team who can simulate a real world threat.
It’s possible to get your pen tests through a cybersecurity company that will provide solutions to fill the gaps in your security infrastructure and potentially training for your employees. However, many companies prefer to choose an independent pen tester to review their security, much like you would choose for an MOT or NCT to take place independently from those who make a living fixing the problems they uncover.
A bespoke pen test, led by a senior CREST-certified tester
Starting at €1999 (£1750), we offer a bespoke service based on individual client needs, considering risks you may have already spotted yourselves.
There’s value in consultancy, that’s why we offer a hands-on approach from initial scoping, through to the delivery of a detailed and comprehensive report. You can go away, absorb it, and share what you need with your technical team before coming back to us for any clarification. We work on a traffic light system, highlighting critical items, while also including points of advice and best practice.
Our close-knit team enjoy being hands-on with every client, ensuring exceptional customer service at every point in the process.
The Chief Operating Officer of one of our clients had this to say, “As a digital health company data security is paramount for our business, therefore it was important to choose the right company for our penetration testing requirements. Datavax provided an excellent service from beginning to end, responding promptly to any queries and providing thorough testing, reporting and technical follow up.”
If you’re ready to make your business digitally secure, get in touch.