Penetration tests for IT baseline protection according to the German Federal Office for Information Security (BSI) IT Baseline Protection Catalog

BSI LeitfadenThe German Federal Office for Information Security (BSI) generally recommends performing penetration tests as part of basic IT protection as well as independently of the implementation of basic protection catalogs.

In this regard, the BSI writes:
“Attacks on IT systems are no longer a foreign concept, even for small authorities and companies. To protect against this in the best possible way, it is helpful to take the attackers’ point of view into account in addition to the usual security precautions. For this, penetration tests are a suitable method to determine the current security of an IT network, an individual IT system or a (web) application. They are used to assess the chances of success of a deliberate attack and thus to check the effectiveness of existing security measures as well as to derive further necessary security measures.”

As a provider of penetration tests with many years of experience, NSIDE ATTACK LOGIC can support you and your company with the implementation of penetration tests, whether you want to carry them out during the implementation of basic IT protection measures or independently of them.

The BSI also provides a practical guide on penetration testing for download on its own website: Praxisleitfaden IT-Sicherheits-Penetrationstest des Bundesamt für Sicherheit in der Informationstechnik.

Penetration testing for ISO 27001 certification

The ISO 27001 standard outlines how companies have to set up and operate an ISMS (Information Security Management System).

Via Control A.12.6.1 (ISO 27001:2013, Annex A/Appendix A, ‘Technical Vulnerability Management’), ISO 27001 prescribes that companies must prevent the exploitation of technical vulnerabilities, implement vulnerability management and vulnerability remediation.
Penetration testing is a suitable measure for meeting these requirements. In individual cases, automated vulnerability scans may also be sufficient to meet the requirement. In normal cases, however, penetration tests are recommended.

NSIDE ATTACK LOGIC is an experienced provider of penetration tests of exceptionally high quality. If you or your company is aiming for ISO 27001 certification, NSIDE ATTACK LOGIC can support you with penetration testing for ISO 27001.

Attention: At the moment, NSIDE ATTACK LOGIC does not perform full ISO 27001 audits itself. NSIDE ATTACK LOGIC does, however, perform penetration testing which is a suitable measure to meet requirements for ISO 27001 certification. Also, we have several partners who can conduct audits according to ISO 27001 and are authorized to do so. Contact us, we will be happy to refer you to our qualified partners.

Penetration testing for TISAX

The TISAX standard for the accreditation of suppliers to the German automotive industry, united in the ENX network, is a standard designed to ensure the IT security of companies that are part of the supply chain of the German automotive industry. The TISAX standard provides for Information Security Assessments and includes both directly and indirectly the requirement for penetration testing.

Among other things, the ‘VDA Information Security Assessment’ requirement sheet includes the requirement for an ISMS in accordance with ISO 27001. ISO 27001 specifies in Annex A 12.6.1 and 12.6.2 that technical vulnerability management must be carried out and the exploitability of technical vulnerabilities in systems of the organization to be accredited must be ruled out. Penetration tests are the most suitable means for this, although automatic vulnerability scans may also be sufficient in a few individual cases. Thus, via the reference to ISO 27001, TISAX also requires that penetration tests are performed. The VDA’s Information Security Assessment list also calls for testing the effectiveness of various security measures. Penetration tests are again a suitable means for this and are more effective than pure audits.

As an experienced provider of penetration tests, NSIDE ATTACK LOGIC can support you and your company to perform a penetration test for accreditation according to TISAX.

Attention: At the present time, NSIDE ATTACK LOGIC does not perform full audits according to TISAX itself. However, NSIDE ATTACK LOGIC does perform penetration testing which is a suitable measure to fulfill requirements for certification according to TISAX. Also, we have several partners who can perform audits according to the requirements of TISAX and are authorized to do so. Contact us, we will be happy to refer you to our qualified partners.

Penetration test for approval as an AEO (Authorized Economic Operator)

Within the EU and in other economic areas, market participants can be approved or accredited as Authorized Economic Operators (AEO). Recognition as an AEO has several advantages, especially in the cross-border movement of goods. For example, simplified procedures apply to treatment by the various customs authorities of the countries in an economic area if the respective company is accredited as an AEO.

A prerequisite for recognition as an Authorized Economic Operator is the performance of a penetration test. This is an active security test of IT systems. This requirement originates from the EU document TAXUD/2006/1450 of 12/06/2006 and specifies penetration tests in section 3.07 under ‘Internal control procedures’:

“Have ‘penetration tests’ been carried out? With what result? If no such tests have been performed, the company should do so to demonstrate the security of its computer systems.”

NSIDE ATTACK LOGIC is an experienced penetration testing provider. As such, we can assist companies seeking AEO (Authorized Economic Operator) recognition and provide competent, high-quality penetration testing for AEO.

Banking and insurance regulatory requirements for IT (BAIT/VAIT)

The Insurance Supervisory Requirements for IT (VAIT), issued by the German Federal Financial Supervisory Authority (BaFin), references security testing and penetration testing several times. This is particularly explicit and implicit in VAIT requirements #43, #54 and especially #32. For example, #43 and #54 call for general testing of systems and applications. #32 of VAIT refers to penetration test results to be submitted to management at least quarterly as part of IT security situation reports.

The situation is similar with regard to the Bank Supervisory Requirements for IT (BAIT): Here, the relevant points are #22 as well as #41 in particular, which correspond to points 32 and 54 of the VAIT.

Also, both works refer to the BSI basic IT-protection catalog as well as the ISO 2700X series of standards that mentions penetration tests in ISO 27001, Appendix A as a suitable measure for dealing with vulnerabilities.


Contact us to uncover and close your security gaps.