Expert Advice Community

Guest

A.12.7.1 Information Systems Audit Controls

  Quote
Guest
Guest user Created:   Apr 29, 2020 Last commented:   Apr 29, 2020

A.12.7.1 Information Systems Audit Controls

1. Does executing the Penetration Tests on the regular basis serves the purpose to be compliant with this Control or do you suggest any other method? 2. Do we need to Document a Formal Process of the Penetration test and execute it accordingly?
0 1

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 29, 2020

1. Does executing the Penetration Tests on the regular basis serves the purpose to be compliant with this Control or do you suggest any other method?

Penetration tests can be used to fulfill control A.12.7.1 Information Systems Audit Controls, provided that they are planned and agreed in a way they minimize risks that can disrupt business operations (e.g., by being performed out of business hours, by covering only part of the most critical systems at a time, etc.).

Another approach would be by performing audits only through the system's logs analysis, system's configurations review, etc.

For further information, see:

2. Do we need to Document a Formal Process of the Penetration test and execute it accordingly?

ISO 27001 does not require the penetration test process to be documented, but the documentation of the process is a good practice to make easier the evaluation of results, and if everything was done as planned.

Quote
0 2

Comment as guest or Sign in

HTML tags are not allowed

Apr 29, 2020

Apr 29, 2020

Suggested Topics

Guest user Created:   Sep 29, 2022 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 Stage 1 & 2 Audits

Guest user Created:   Sep 29, 2022 ISO 27001 & 22301
Replies: 1
0 0

Questions about ISO 27001

Guest user Created:   Sep 29, 2022 ISO 27001 & 22301
Replies: 1
0 0

Organizational chart - ISMS