Pentests in the Context of ISO 17025

ISO/IEC 17025](https://www.iso.org/ISO-IEC-17025-testing-and-calibration-laboratories.html) is a standard for the general requirements for the competence of testing and calibration laboratories. This standard specifies the requirements that a laboratory must fulfill to ensure the accuracy, reliability and reproducibility of the tests and calibrations performed. The standard applies not only to technical laboratories, but also to other types of laboratories, such as medical or forensic laboratories.

Since penetration tests (also known as ethical hacking) are usually performed in IT laboratories, ISO/IEC 17025 can also be applied to this type of testing. Applying the standard to penetration tests can help to improve the quality, documentation, auditability and accuracy of test results. This ensures that the tests performed are reliable and provide customers with an accurate picture of the security posture of their system.

ISO/IEC 17025 specifies, among other things, requirements for the personnel, equipment and processes used in a laboratory. This can affect penetration testing as follows:

1. Personnel Requirements

The standard specifies that the personnel working in a laboratory must have the necessary qualifications and skills to carry out the tasks assigned to them. For penetration testing, this means that testers must be qualified (e.g. OSCP, OSWE or certified IS penetration tester) and experienced to perform complex security tests.

2 Equipment Requirements

The standard stipulates that laboratories must have the necessary equipment to fulfill their tasks. In the case of penetration tests, for example, this includes special hardware and software tools that are required to carry out the tests.

3 Process Requirements

The standard requires that laboratories have documented and standardized processes to ensure that the tests and calibrations performed are repeatable and reliable. For penetration testing, this means that clear and standardized procedures are required for performing the tests, interpreting the results and reporting.

Conclusion

In summary, applying ISO/IEC 17025 to penetration testing can help to improve the quality and reliability of the tests performed. As a result, companies and organizations can ensure that they receive accurate and meaningful information about the security of their system.