How Penetration Testing Increases Your ROI of ISO 27001 Compliance

Compliance isn’t an option anymore. 37% of companies are planning to adhere to ISO 27001 in the next 1-2 years, making it the second most popular compliance framework. And it doesn’t come in at a small price tag either. Between hiring auditors, implementing new processes, adopting systems to track all your documents in, and getting your security posture up to par - the average cost of getting your ISO 27001 compliance certification is around $40,000 and beyond, depending on the size of your company. So what’s the return on investment (ROI) of ISO 27001 compliance? And what’s the difference between opting in for penetration testing versus an alternative security testing approach for your compliance? Well, read on - we’ll tell you exactly how penetration testing increases the ROI of your ISO 27001 compliance!

What is ISO 27001 compliance?

ISO 27001 is an international compliance framework that proves a company’s ability to protect and securely manage their customer’s sensitive data. The most recently revised version of ISO 27001 launched in 2022, meaning any companies who were certified for the previous version (ISO 27001:2013) have a three-year transition period over to the latest framework. Sister frameworks, ISO 27000 and ISO 27002 cover general information technology (IT) security and specific information security controls, respectively.

3 Benefits of doing ISO 27001 compliance

Manage information security controls in one place

ISO 27001 provides a central location to track all documentation and systems related to information security practices in your organization. Better yet, tools like SecureFrame and Vanta, can help you organize these controls in a searchable compliance management system. That way, any time your sales team or product managers need access to your compliance documentation, it’s easy to find and share.

Faster processing on enterprise sales deals

Your vendors won’t want to work with you if they know you’re at risk of a cyberattack in the near future. Since ISO 27001 is a rigorous and internationally accepted standard, the odds of your clients sleeping better at night is much higher once you have the certification in hand. They’ll be more likely to close on a deal with you if you can provide them with hard proof of your systematic, regularly practiced security operations.

Reduced risk across your organization

The obvious reason why a lot of companies adhere to ISO 27001 is because of the actual reduced risk. Chief Financial Officers (CFOs) love to invest in security activities that directly mitigate risks, as it has a lot of benefits for productivity and cost savings. When calculating the ROI of ISO 27001 and penetration testing efforts to your CFO, consider these tips for proposing your investment!

What is penetration testing?

Penetration testing is a manual, comprehensive security testing approach. It involves using ethical hackers (also known as “white hat” hackers) who attempt to break into an application or system. It’s an extremely thorough form of security testing as you get to leverage creativity, experience from multiple systems, and knowledge on a company’s unique business logic. While penetration tests are typically done as a one-time procedure, companies can also opt for Penetration Testing as a Service (PTaaS) which conducts pentests multiple times per year and offers additional service supplements like consulting which you can leverage to build new features from scratch securely.

How does penetration testing help you earn ISO 27001 compliance?

As part of earning your ISO 27001 compliance, you will be required to identify risks and vulnerabilities within all assets and information systems that are undergoing compliance auditing (in other words, any part of your systems that are within compliance scoping).

Some of the controls that penetration testing can help you meet for ISO 27001 include:

• Control Set A.11, which deals with physical perimeter security
• Control A.12.2.1, which deals with malware and malicious code
• Control A.12.6.1, which asks you to build a process for handling technical vulnerabilities quickly as they arise.
• Control A.13.2.3, regarding the protection of information transmitted digitally (in internal networks and electronic messaging systems)
• Control Set A.14.1, which requires information passing through public networks and in service transactions to be secured.
• Control A.12.2.3, which requires businesses to have systems tested after every significant change to ensure there is no negative impact to the system
• Control A.16.1.3, which deals with reporting observed or suspected system weaknesses in a systematic way
• Control A.18.2.1, which requires an independent review of your security controls
• Control A.18.2.3, which requires businesses to regularly review their practices and controls to ensure compliance against the ISO 27001 framework

7 ways penetration testing increases your ROI on ISO 27001 compliance

52% of companies felt that the costs of earning ISO 27001 certification were well worth the benefits that it brought them. We’re firm believers that penetration testing is generally the more worthwhile security testing alternative that provides you with more ROI during your ISO 27001 process than other testing approaches such as vulnerability scanning or red teaming. Let’s dive into some of these benefits below.

Understand your full attack surface

All penetration testing efforts begin with a threat modeling simulation that maps out your application’s entire attack surface so that the penetration testers can pinpoint specific use cases and possible entry points for an attack. The threat model can be re-conducted before every penetration test if you’ve had major changes, which aligns to Control A.14.2.3.

Other security testing methods such as vulnerability scanning don’t necessarily consider your application business logic. This means they might not get to the dark corners of your application - and might even miss a major component! On average, scanners failed to find 16 vulnerabilities per container tested. While that’s not to say that penetration testers would have guaranteed to find them, there is definitely a larger level of uncertainty around vulnerability scanner performance. When working with a penetration tester, your team can reach out at any time to ask questions about how or why a test was conducted in a certain way. The same can’t be said for automated tooling.

Find & remediate vulnerabilities before they’re weaponized

It takes the average team 256 days to patch a critical vulnerability. That’s almost nine months waiting for a hacker to stumble upon an issue that has a high likelihood of being found and extreme consequences for your company. For 66% of small businesses, getting breached forced them to close their doors within 6 months of the incident.

Alternatively, the active testing period in a penetration test is typically around a few weeks long. Within each pentest, Software Secured finds an average of 26 vulnerabilities. Finding these vulnerabilities sooner means that your team can get to patching faster, too. And with detailed reporting and Slack chat support, your developers will be equipped to remediate your risk efficiently. Once you’ve patched your security vulnerabilities, getting a re-test done will validate whether your fix was sufficient. Then you’ll get an updated certificate to show your auditor and vendors how secure you are!

Avoid security theater and false positives

Security theater describes security measures that make us feel like we’re doing more for our application than we actually are. A good, and unfortunately common, example of security theater is when vulnerability scanners mark vulnerabilities as Criticals or Highs, even if that’s not the case. Vulnerability scanners can’t always tie the issue to the business logic, which is a huge factor in determining the impact and likelihood of attack. In fact, only 82% of results provided by vulnerability scanners are relevant. On the other hand, Software Secured penetration testers leverage a combination of CVSS and DREAD scoring systems to calculate the actual severity of each vulnerability, meaning there’s no security theater here.

Following the penetration test, customers receive their report which includes details on replication and remediation suggestions for all found vulnerabilities. Since all vulnerabilities have replication steps provided and evidence to prove that they exist, there’s no possibility for false positives to make it into the final pentest report. For an extra layer of certainty, all reports go through a quality assurance process where at least one other pentester tries to recreate every identified vulnerability to validate that the find is true and that the replication steps make sense.

If you received what seems like a devastating penetration test report packed with vulnerabilities, you’ll know that your pentest team did a great job at uncovering hidden security gaps in your application. Learn more about how to make the most out of a devastating penetration test report here.

Frequent testing reduces cost of remediation by up to 100X

The cost of patching a security vulnerability in the design stage is approximately $500 per issue. Vulnerabilities found in the testing stage are 15X more expensive than those found at the earliest stage of the software development life cycle (SDLC). Even worse, vulnerabilities in the maintenance stage are 100X more expensive than those found in the design stage. That means the average vulnerability lingering in an old software product could cost your team up to $50,000 per vulnerability to correctly remediate. As systems grow and age, it becomes more expensive and difficult to fix security issues, especially when security gaps are tied into insecure design flaws when the application was originally built.

Needless to say, the earlier that you test, the lower your cost of remediation is going to be. With service options like Penetration Testing as a Service (PTaaS), you can test your application up to 4x per year. Not only does this have huge cost savings when it comes to remediation efforts, but it also helps you meet Control A.18.2.3 - the all-encompassing control related to regularly checking your systems to ensure security and compliance.

Prove your security posture to your auditor

Obviously, you need some way to prove your security posture to your auditor to meet Control A.16.1.3 which asks you to do an independent review of your security controls. You also need to have a way of reporting each security gap according to Control A.14.2.3. With penetration testing, you’ll get a systematic way of finding vulnerabilities, recording them (with evidence and steps to replicate), and documentation to prove this all. There are several kinds of documents that you can get from your pentest vendor, including:

• A penetration test report, which has all the details around each vulnerability. This is mostly great for your internal teams.
• A penetration test certificate, which is a higher-level look at your security posture and does not lay out the specifics of each vulnerability. This is great for sharing with your auditor or enterprise vendors.
• A letter of engagement, which proves your company is planning to conduct a penetration test in the near future.

Reduce your cybersecurity insurance costs

Cybersecurity insurance (also known as cyber liability insurance) is required by many vendors who want to be assured they’ll get paid out if you ever experience a breach or attack. The going rate for cybersecurity insurance today is around $1,500 per year for $1 million in coverage, with a $10,000 deductible. Keep in mind that the average cost of a destructive attack was $5.12M in 2022, meaning you’ll need a much higher rate or an account full of cash to payout lawyers, fines, and cover additional operating costs in the event of a breach (assuming the hackers didn’t steal your cash, too).

The cheaper alternative? Not getting hacked. Penetration testing can reduce your risk of attack significantly, which in turn makes cybersecurity insurance companies feel better about giving you a lowered rate. Proving to your insurance company that you are meeting your service level agreements (SLAs) and that you have no critical vulnerabilities is a good place to start. You can do this by obtaining a penetration test certificate and managing your vulnerabilities in an online portal or ticketing system.

Improvements in development team efficiency

The first time that you work with a penetration testing vendor might not flow so smoothly. Not that it’s anyone’s fault - it’s just new. At the start, your development team might struggle to see how vulnerabilities are built into the application and why they’re important to fix (instead of producing new code to help the company grow revenue!) Over time, developers will get insights into the “why” and “how” vulnerabilities occur. As this integrated education will be specific to the technology and language that they work with everyday, your developers will slowly understand secure coding best practices.

When it comes to writing new code, they’ll be able to put this new knowledge to use and, in turn, reduce how many vulnerabilities appear in each of the design, testing, and maintenance phases of the SDLC.

Remember those stats about the cost of remediation in each stage? Practicing secure coding best practices means you’ll have the lowest possible cost of remediation plus incredible time savings as your developers won’t need to context switch to patch issues down the line. This is your best bet to maximize how much time your developers can put towards releasing new code and making the product grow!

Parting advice

We get it - there’s a lot going on at once when you’re earning compliance. And the expenses attached to it are difficult to swallow, especially for a small business that’s just trying to grow it’s enterprise client list. Penetration testing can help you increase the ROI of your ISO 27001 compliance by enabling you to meet at least 9 required controls, improve your team’s overall efficiency, and empower you with the information you need to make your app secure. Interested to see how we can help you increase the ROI of your ISO 27001 compliance? Learn more about Software Secured’s Pentest 360 option which is most preferred by vendors undergoing ISO 27001 compliance for the first time. Additionally, we can help you meet your ISO 27001 secure code training goals too!