ISO 27001 – Testing Types

This section outlines the main types of security tests recommended under an ISO 27001 ISMS, with objectives and alternative names.

External Testing

Compromises access from outside the system.
Target: Everything visible from the Internet.

Also called: Black-box testing, External Network Assessment

Internal Testing

Assesses what an attacker can compromise once inside the network.
Target: Insider threat—employees, contractors.

Also called: Internal Network Assessment, Grey-box testing (partially)

Blind Testing

Conducted without any prior knowledge of the system.
Target: Understand what a hacker could do with no internal information.

Also called: Single-Blind Testing

Double-Blind Testing

Neither the pentester nor the security team knows the test is occurring.
Target: Evaluate both what a hacker could achieve and how quickly the team detects them.

Also called: Double-Blind Penetration Test

Targeted Testing

The tester and security team work together, focusing on specific areas.
Target: Evaluate defenses with full collaboration for selected components.

Also called: Knowledge-Based Testing, Collaborative Testing

Social Engineering Testing

Tests human and physical security controls via phishing, vishing, or on-site exercises.
Target: Assess human vulnerabilities and policy adherence.

Also called: Phishing Assessment, Human Factor Testing, Physical Security Testing

Red Teaming

Simulates a realistic, multi-vector attack combining external, internal, social engineering, and physical methods over time.
Target: Measure the organization’s overall detection and response capabilities.

Also called: Full-Scope Adversary Simulation, Adversarial Emulation

Configuration / Compliance Testing

Checks system configurations and adherence to ISO 27001 policies.
Target: Ensure technical and procedural compliance.

Also called: Audit Testing, Technical Compliance Assessment