Clarification on Penetration test

Appreciate if you could provide your advise on this.

Answer: For ISO 27001, to gather information about technical vulnerabilities in a timely fashion (e.g., by means of a penetration test) is a requirement only if your risk assessment results, or applicable laws or contracts, justify the application of control A.12.6.1 - Management of technical vulnerabilities. If there is no risks, or legal requirements to justify such control, there is no need to perform penetration test.

If control A.12.6.1 is applicable, the penetration t est can be performed by a sister company. The main criterion here is that people performing the test are not responsible by the scope being tested.

This article will provide you further explanation about infotmation security and penetration test:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/

Hi Rhand, can you also clarify the below:
1. Control A.12.6.1 – Management of technical vulnerabilities is applicable to our organization to control the technical vulnerabilities on the IT infrastructure, can you explain with an example on how this become requirements from RA or applicable laws or contracts.
2. the people perform the test are not under the ISMS scope, however, the director of the sister company (service provider) and the IT director of the customer are same. will this be a concern?

Answers:
1. Control A.12.6.1 can become required as result of risk assessment if you identify, for example, that one of your software suppliers often releases security updates for a critical system your organization uses.

An example regarding legal requirements is the compliance with PCI-DSS, an standard for credit card industry, which requires periodic verification of vulnerabilities on assets handling customer's credit data.

2. Provided that you are capable to evidence that the personnel performing the tests have the competencies to do so (by means of certificates, experience records or external references), these people do not need to be part of your ISMS scope.