ISO 27001 Information Security Services

The way these services align to the technical controls is dependent on the scope of the client’s ISO 27001 certification and/or the processes/procedures defined in the client’s Information Security Management System (ISMS).

• A.5.29 Information Security During Disruption
The organization should plan how to maintain information security at an appropriate level during disruption. Auditors may review a sample of testing/exercising reports.
• A.5.36 Conformance with Policies, Rules and Standards for Information Security
Compliance with the organization’s information security policy, topic-specific policies, rules and standards should be regularly reviewed. Auditors may review security calendars and activities that may trigger independent assessments, as well as examine reports from network scanning and penetration tests.
• A.6.3 Information Security Awareness, Education and Training
Personnel of the organisation and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function.
• A.8.26 Application Security Requirements
Information security requirements should be identified, specified and approved when developing or acquiring applications.
• A.8.29 Security Testing in Development and Acceptance
Security testing processes should be defined and implemented in the development lifecycle. Auditors will review penetration test reports and action taken on any outcomes.
• A.8.8 Management of Technical Vulnerabilities
Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities evaluated and appropriate measures should be taken. Auditors may review the security calendar for the schedule of testing and a sample of penetration test reports.

Organisations are required to demonstrate to auditors (either as part of the process to achieving certification or when undertaking the annual certification audit) that the organisation is effectively maintaining security controls in accordance with the ISMS.

Intertek NTA offers tailored testing and assurance solutions to assist organisations with the requirements defined under ISO 27001:2022 technical controls, enabling them to evidence that these are being met, including:
• Information Security Awareness Training (Virtual and Physical options available)
• External and Internal Network Penetration Testing (Firewalls, Servers, Networking Devices, User Devices, etc.)
• Application Penetration Testing (Websites, Internet-facing Services, Remote Access Portals, etc.)
• Intelligence-led Penetration Testing (Red Team Exercises)

Testing services seek to identify vulnerabilities that could result in compromised security of information assets or data, with ongoing remedial support and advice provided.