Why to invest in Vulnerability Assessment and Penetration Testing?

Listen on the go!

Cyber Security – A Matter of Concern

Cyber security has become more of a concern for almost every service organization. But are we doing enough to protect our intellectual properties and sensitive information? The following stats present a grim picture: 52% of organizations that suffered successful cyber-attacks in 2016 aren’t making any changes to their security in 2017.

Why? Primarily a lack of additional budget or a decrease in the budget makes a change in protection a harder sell.

Vulnerability Assessment, Penetration Testing and ISO 27001

Per ISO 27000 (international standard entitled: Information technology — Security techniques — Information security management systems — Overview and vocabulary):

  • “A vulnerability is a weakness of an asset or control that could potentially be exploited by one or more threats”
  • “An asset is any tangible or intangible thing or characteristic that has value to an organization”
  • “A control is any administrative, managerial, technical, or legal method that can be used to modify or manage risk”, and
  • “A threat is any potential event that could harm an organization or system”

A vulnerability arises when a threat finds a weakness it can exploit. Weaknesses usually creep in due to lack of attention, ignorance or in some cases intentional as well. Few of these weaknesses are easy to recognize/detect, fix, exploit, whereas others may require some dedicated time, effort, tools and resources.

Penetration testing (often called “pen testing” or “security testing”) simulates a malicious attack to establish whether your internet security is acceptable, is functioning the way it should, and will resist any external threats.

Vulnerability Assessment and Penetration Testing (VAPT) is an essential element in ISO 27001 Information Security Management System (ISMS). ISO 27001 control objective A12.6 (Technical Vulnerability Management) states that ’information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk’.

What should you choose? VA or PT or both?

A vulnerability assessment/analysis is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in communications infrastructures, networks, or computers. Vulnerability assessment is like the classical risk analysis where the primary focus is on the identification of risks and then dealing with mitigation and contingency.

On the other hand, Pen Tests are authorized simulated attacks on identified computer systems and check the system for any security loopholes/weaknesses that may be used to gain access to the system’s sensitive data and/or information. Penetration testing is a highly recommended best practice that helps understand how vulnerable your systems are.

When we perform a vulnerability analysis on any information systems, we can identify all technical vulnerabilities related to them like SQL Injection (code injection technique that might destroy your databases), XSS (Cross-site scripting – type of injection, in which malicious scripts are injected into otherwise benevolent and trusted websites), weak passwords, etc. But, for their further exploitation, we need to perform a penetration test. Effective penetration testing involves the simulation of a malicious attack against the system under test, often using a combination of methods and tools, and is conducted by a certificated, ethical professional tester. This further translates into a VAPT report which provides a basis upon which security measures can be improved.

Per ISO 27001 control A.12.6.1, we need to prevent the exploitation of technical vulnerabilities. Does this mean we only need to deal with Vulnerability analysis and do away with Penetration testing? Because after the vulnerability analysis, if we get to know that the system is vulnerable, and by fixing it we can avoid any data/information/IP loss, we can only do vulnerability assessment which means the next step, exploiting it, is not necessary.

This also helps to stay compliant with ISO 27001:2013. One of the recent reports published by Symantec (2017 Internet Security Threat Report) says “Our data found that 76 percent of websites scanned contained vulnerabilities—the same percentage as 2014 and just two percent less than the 2015 figure”.

To cater to the above and needs which go beyond only testing, the answer which probably suits the need of the hour is performing both VA and PT.

The link between Security Testing and ISO 27001/ISMS

ISO 27001 control A.12.6.1 talks about the following key controls:

  1. Identification of vulnerabilities – Timely identification that provides us with more time to fix and less time for external attackers/hackers.
  2. Prioritization of vulnerabilities – Just like a classical risk analysis, a vulnerability risk assessment is performed to identify and prioritize the vulnerabilities that are most critical to the business and routine operations of the systems in place.
  3. Treatment of vulnerabilities – Once the most critical vulnerabilities are identified, action must be taken on its treatment based on the level of threat the vulnerability possesses, including the execution of penetration testing, as need be. This works same like having a risks treatment plan for the most important risks (ensuring controls that are implemented do actually work as designed).

ISO 27002 (Information technology — Security techniques — Code of practice for information security controls), provides the best practices to be considered while implementing control A.12.6.1 –

  1. Inventory of assets – A current and complete inventory of assets is a prerequisite for effective technical vulnerability management. Some specifics include the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within the organization responsible for the software.
  2. Establish Roles and Responsibilities – The organization should define and establish the roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, vulnerability risk assessment, patching, asset tracking and any coordination responsibilities required.
  3. Timelines for reaction – A timeline should be defined to react to notifications of potentially relevant technical vulnerabilities.
  4. Audit log – An Audit log should be maintained for the process carried out and for maintaining traceability.
  5. Aligning the system with Incident Management – An effective technical vulnerability management process should be aligned with incident management activities, to communicate data on vulnerabilities to the incident response function and provide technical solutions to be carried out in the event of an incident.
  6. Continual Improvement through CAPA – As part of the on-going Corrective Action and Preventive Action (CAPA) and continual improvement processes, we should ensure that controls continue to work as required and new and emerging threats and vulnerabilities are identified and dealt with.

In Conclusion – How can Cigniti help?

The world’s most famous (historical) hacker Kevin Mitnick says, “You can never protect yourself 100%. What you do is protect yourself as much as possible and mitigate risk to an acceptable degree. You can never remove all risk”. Basically, if you know what your vulnerabilities are before your attackers do, you will be protected in terms of your information security as there are thousands of people around the world constantly scanning the internet for vulnerable systems that can be broken into easily. Considering this, do not let a lack of additional budget or a decrease in the budget be the criteria for doing away with vulnerability assessment and penetration testing.

Cigniti’s managed security testing services team, Certified Ethical Hackers, and ISMS experts will help you in your ISMS journey. We review your security objectives, your business, regulatory and contractual requirements, and help to perform vulnerability analysis (mandatory in case of ISO 27001 implementation journey) and penetration testing (best practice) for your organization.

For details, contact us.


  1. ISO/IEC 27001 – Information technology – Security techniques – Information security management systems – Requirements
  2. ISO/IEC 27002 – Information technology — Security techniques — Code of practice for information security controls
  3. 2017 Internet Security Threat Report – https://www.symantec.com/security-center/threat-report


  • Tejas Joshi

    Tejas is a seasoned professional with more than 10 years of experience in Quality/process/consulting and process engineering. Part of the Process Management Group in the organization and leads the Process Engineering portfolio. He is a specialist in maintaining internal and external process compliances for the organization. Tejas also likes to jot down white papers and blogs in his spare time.

    View all posts

Comment (1)

  • Diwakar Konda

    Good one Tejas…

    June 8, 2017 at 12:17 PM

Leave a Reply

Your email address will not be published. Required fields are marked *