I have one question. Is a pen-test from a third party required for getting the ISO-certification?
Assign topic to the user
ISO 27001 does not prescribe a pen-test from a third party as a requirement for ISO 27001 certification.
Pen-tests, including those performed by third parties, are only required if there are relevant risks (i.e., risks evaluated as unacceptable according to your criteria), or legal requirements (e.g., laws, regulations, or contracts).
These articles will provide you a further explanation about selections of controls and pen tests:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/
These materials will also help you regarding controls selection:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
May 05, 2021