No one wants to fail their application for ISO 27001 accreditation, and for some the possibility is unthinkable, to the point where they are reluctant to kickstart the process.

It’s easy to be daunted by the potential hours and financial investment that any security certification journey will take to complete. But these stakes should not be a cause for a delay, only a good motivator for getting everything right first time.

Where pen tests and ISO accreditation meet

The emergence of hybrid working has increased the risk of cyber threats on businesses and their customers. This, met with increased scrutiny about how organisations manage personal data, has caused the number of people seeking out ISO 27001 certification to accelerate rapidly.

Having ISO accreditation proves you have great data security, but it can also double up as great promotional material. Just as pen tests can give you a competitive advantage, ISO accreditation can sway the attention of companies seeking ISO accredited partners and software. This is particularly common with public contracts, where ISO 27001 certification is often a necessity.

ISO compliance demonstrates continual monitoring and awareness of security best practices. And although pen tests are not explicitly referenced to gain accreditation, it’s heavily implied.

Another similar accreditation is Cyber Essentials. Slightly different from ISO, it provides cover to a wider audience, when ISO may be better suited to software or finance companies where security risks are of greater importance.

Even so, Cyber Essentials still suggests organisations need a thorough pen test to qualify – a critical step to implement if you want to pass with flying colours first time.


Part one: self assessment (Cyber Essentials only)

An in-depth self assessment will determine how ready your company is for certification. You’ll be questioned on whether you have the right information security objectives and how willing and able your management team is to contribute to the effectiveness of these objectives.

Most importantly, you’ll be asked what steps you take to mitigate, eradicate or manage risks, and whether you have a programme in place to ensure your information security measures and processes are constantly monitored and improved.

We recommend completing a pen test before you even begin the initial self assessment. You can see where vulnerabilities lie and what loose ends need to be tied up, so you can minimise delays and maximise your chances of success out of the gate. To learn more, check out our thoughts on what pen tests are right for your business and how much they cost.


Part two: gathering evidence

Gathering evidence is the harder part, and is also the stage where most organisations throw in the towel. This part of the journey requires a huge chunk of people’s time, from the admin hours needed to assemble the documentation, to the investment needed to implement the software, hardware, and essential tests.

Here’s where we would suggest getting a second pen test. The first you completed before the self-assessment will highlight the areas that you need to address, and once you’ve taken action, the second pen test will provide some of the evidence that certification requires.

Our CREST-certified testers will reassess for any vulnerabilities, and provided your organisation took all the actions recommended in the initial test, it’s highly likely you’ll be provided with a Datavax cover letter to show that your security could not be breached by the simulated threat our ethical hackers provide, and this can be used as evidence to strengthen your application.

Once all your evidence has been compiled, an auditor will review your documentation and assess the success of your information security management.


The benefits of perfecting your processes the first time round

The board of your company may have postponed the first step of your ISO or Cyber Essentials journey, but after a pen test you can set off with confidence and quickly make strides towards accreditation.

Make the security certification journey as painless as possible and ensure a first time pass with an independent pen test carried out by a CREST-certified tester. As we’re independent, we won’t try to sell you solutions after your test, we’ll only provide a detailed report with recommendations that you can address internally or procure according to your own budget.

When your organisation comes to renew your ISO 27001 or Cyber Essentials accreditation three years later, we’ll be ready to test your defences again. You’l be staying on top of the latest threats and if any vulnerabilities emerged in the three years since you were issued ISO certification, we’ll be able to find them so your accreditation remains uninterrupted.

To learn more about how Datavax can help you along the security certification journey, get in touch.