Should a penetration tester have training in ISO 27001/ITIL etc?

While it may not be the hardcore technical pentesting you are used to, it will definitely aid you in understanding processes and security controls within a company. This may help you to bring your findings in an understandable way to the business and IT management.

Obviously it also means you could do more than just pentesting as you could also write a standard or baseline (27001).

Don't be afraid to try something new from time to time :).


I've rarely found more knowledge to be a detrimental thing. It may not be super useful, but it may help in some rare scenarios.


Not of much benefit. I am a PenTester with both ITIL and ISO 27k certifications. While ITIL has hardly to do anything directly with information security and is very generic but can be effective in putting a process for faster incident response and change control. ISO 27k exists as standard and very broad guidelines for processes to be followed by any organization who takes InfoSec seriously. The standard also provisions for Audits to measure effectiveness of information security processes and controls. This audit can include both Source Code Analysis and Penetration Testing. Only way a Penetration Tester can find some use of this is to expect some level of security exists if the Organization is ISO 27k Certified. You won't be taught a single command when attending these trainings.

The knowledge of ITIL and ISO 27k will be required if you are trying to get a managerial role within big organizations. They like to measure everything and have metrics for nearly all process outcomes. ITIL and ISO 27k are more about process who has scope and mechanism built for continuous improvement.