ISO 27001 vs real-world attacks

Geschreven door Robin van den hurk

TL;DR

“They are ISO 27001 certified, so their security must be strong”, is a common and very wrong assumption.

What is ISO 27001?

ISO 27001 (or the standard’s official name ISO/IEC 27001) is the most widely used standard for information security management systems (ISMS). It provides organizations of all sizes and from all sectors with a framework and guidance for establishing, implementing, maintaining and continually improving an ISMS. Conformity with ISO 27001 means that the organization has implemented a system to manage information security risks (https://www.iso.org/standard/27001).

So, the ISO 27001 certification confirms that risk management processes exist and are followed to an extent. It does not prove resistance to real-world attacks.

Why this blog post?

Our aim is to clarify what certification represents and how it differs from validation against real-world attacks.

Organizations want or need the ISO 27001 certification, customers ask for it, suppliers proudly display it and executives sleep better because of it.

In our daily work, we collaborate with people in a wide range of roles across different types of organizations and industries. Over the years, we have seen many misconceptions about what ISO 27001 certification really means in the context of real-world attacks.

One common misconception is that ISO 27001 represents or even guarantees that the organization is secure against real-world attacks. ISO 27001 is not intended to provide this kind of assurance.

Another misconception is that ISO 27001 covers all risks, even those outside of its defined scope.

Security testing not mandatory

The ISO 27001 certification confirms that an organization established, implemented, maintains and improves an ISMS. It does not prove resistance to real-world attack techniques.

ISO 27001 requires organizations to regularly review and evaluate their information security risks. Examples of controls in the 2022 version are ‘8.8 Management of technical vulnerabilities’ and ‘8.29 Security testing in development and acceptance’. Penetration testing is one way to check the control boxes, but there are other ways to comply.

As security testing is not required, ISO 27001 certified organizations may not perform attack simulations. This is a problem, because penetration testing or red teaming reveals risks that the certification does not cover. As a result, the certification does not prove or assure insight into risks that an attacker could exploit. This is why ISO 27001 certified organizations still get hacked by criminals.

End note

We fully support ISO 27001 and the value it brings to an organization. In the end, there is only one way to verify how resistant your organization is, which is by testing it in real life.

Let’s close with the question:

Why are you confident your organization will remain resilient during a real attack?

We'll help you determine what it takes for an attacker to breach your company.

Let's get in touch
Robin van den hurk
Volgende

How hackers abuse undocumented MSSQL features to take over your domain