CyberLeveling Logo
ISO 27001 & ISO 27002 Through a Pentester’s Lens

ISO 27001 & ISO 27002 Through a Pentester’s Lens

Introduction: Why Pentesters Should Care About SGSI

Information Security Management Systems (ISMS / SGSI) based on ISO/IEC 27001 and its supporting ISO/IEC 27002 Code of Practice are often seen as compliance frameworks rather than security enablers. From a pentester’s point of view, this is a dangerous misunderstanding.

While ISO 27001 does not teach you how to exploit a vulnerability, it strongly influences why vulnerabilities exist, how long they survive, and how organizations respond once they are exploited. In real-world penetration tests, many successful attack paths are not the result of advanced exploits, but of systematic management failures - precisely the gaps ISO 27001 and ISO 27002 aim to close.

This article explores ISO 27001 and ISO 27002 from a practical, offensive-security perspective, showing how pentesters can map findings directly to ISMS weaknesses and how organizations can use pentest results to strengthen compliance and real security.

ISO 27001: What Pentesters Actually Test (Whether They Know It or Not)

ISO 27001 defines what must exist: policies, risk management, roles, processes, and continuous improvement. Pentesters usually test the absence or failure of these elements indirectly.

From a pentester’s perspective, ISO 27001 maturity can often be inferred within the first hours of engagement.

Key ISO 27001 Clauses Reflected in Pentest Results

1. Context of the Organization & Risk Assessment

When we find:

  • Legacy systems exposed to the internet
  • Flat networks with no trust boundaries
  • Business-critical systems sharing credentials

We are not just finding technical flaws - we are seeing poor or outdated risk assessments. ISO 27001 requires organizations to understand their threat landscape and treat risks accordingly. A pentest frequently exposes risks that were never formally identified.

Pentester insight: If an attack path feels “too obvious,” it usually means the risk was never properly documented or accepted.

2. Leadership & Accountability

Common findings such as:

  • Shared admin accounts
  • No ownership of systems
  • Lack of approval workflows

Point directly to weak leadership involvement in security governance. ISO 27001 explicitly requires defined roles, responsibilities, and accountability.

Pentester insight: When nobody “owns” a system, attackers own it first.

3. Incident Response & Continuous Improvement

During red team or adversary simulation exercises, we often see:

  • Alerts ignored
  • No clear escalation path
  • Security teams discovering the attack only during the final report

ISO 27001 demands monitoring, incident handling, and improvement. A pentest that goes undetected is not just a technical failure - it is a management failure.

ISO 27002: The Code of Practice Seen from the Attack Side

ISO 27002 provides the how - the controls that should be implemented. Pentesters test these controls every day, even if unintentionally.

Below are selected control domains viewed through real attack scenarios.

Asset Management: Attacking What You Forgot You Had

Poor asset inventories lead to:

  • Forgotten subdomains
  • Orphaned cloud resources
  • Unpatched internal services

From an attacker’s perspective, these are gold mines. ISO 27002 requires organizations to identify, classify, and manage assets.

Pentester insight: You cannot defend what you do not know exists.

Access Control: Where Most Breaches Begin

Typical Pentest Findings:

  • Excessive permissions
  • Stale accounts
  • Weak role separation

ISO 27002 promotes least privilege, user lifecycle management, and access reviews. Almost every successful lateral movement during a pentest maps directly to failures in these controls.

Pentester insight: Privilege escalation is rarely clever - it is usually inevitable.

Cryptography: False Sense of Safety

Pentesters frequently encounter:

  • Hardcoded secrets
  • Weak TLS configurations
  • Sensitive data encrypted but poorly managed

ISO 27002 does not just say “use encryption”; it requires key management, policy, and lifecycle control.

Pentester insight: Encryption without governance is security theater.

Operations Security: Configuration Is Security

Misconfigurations are among the most exploited weaknesses:

  • Default credentials
  • Debug services exposed
  • Insecure CI/CD pipelines

ISO 27002 emphasizes secure configuration, change management, and logging. These are exactly the areas attackers abuse to move silently.

Pentester insight: Attackers love stability - unchanged systems are predictable systems.

Supplier & Third-Party Risk: The Soft Underbelly

Pentests increasingly uncover attack paths through:

  • VPN access of suppliers
  • Overtrusted SaaS integrations
  • Poorly scoped API tokens

ISO 27002 requires third-party risk management, yet this remains one of the weakest implemented domains.

Pentester insight: You don’t need to breach the company if you can breach its ecosystem.

Mapping Pentest Findings to ISO Controls

One of the most valuable (and underused) practices is mapping pentest findings directly to ISO 27002 controls.

Example:

Finding: Domain admin compromise via reused credentials

Mapped Controls: Access control, identity lifecycle, credential management

This approach:

  • Translates technical risk into business language
  • Helps auditors understand real impact
  • Supports measurable ISMS improvement

Using Pentests as an ISMS Improvement Engine

From a pentester’s point of view, the best organizations:

  • Treat pentests as input to risk assessment
  • Update their Statement of Applicability (SoA)
  • Track findings as management-system issues, not just IT bugs

ISO 27001 is not broken when a pentest finds flaws - it is broken when those flaws repeat year after year.

Final Thoughts: Compliance vs. Resistance

ISO 27001 and ISO 27002 do not stop attackers. Good implementation does.

Pentesters break in through:

  • Missing processes
  • Weak governance
  • Human shortcuts

Exactly the areas these standards address.

From the offensive side, a mature ISMS does not make exploitation impossible - but it makes it noisy, costly, and short-lived. And that is the real goal of information security.

A pentester’s final truth: If ISO 27001 is treated as paperwork, attackers will treat your organization as practice.

Remember, having the certifications does not mean you're secure.