Skip main navigation

Information System Security Assessment Framework (ISSAF)

Information System Security Assessment Framework (ISSAF) methodology is supported by the Open Information Systems Security Group (OISSG).
© Coventry University. CC BY-NC 4.0


31 Reviews
The Information System Security Assessment Framework (ISSAF) methodology is supported by the Open Information Systems Security Group (OISSG).
Although it is no longer maintained and, therefore, a bit out of date, one of its strengths is that it links individual pentest steps with pentesting tools. It aims to provide a comprehensive guide in conducting a pentest and can be a good basis for developing your own custom methodology.
ISSAF breaks the pentesting project into three phases:
  • Planning and preparation
  • Assessment
  • Reporting, clean-up and destroy artefacts

ISSAF Phase I: Planning and preparation

This phase is brief and only describes the steps to exchange initial information, plan and prepare the test. It emphasises the need for a formal assessment agreement to be signed before any testing begins. The agreement provides the basis for this assignment and mutual legal protection, and specifies:
  • The engagement teams
  • Exact dates and times
  • Escalation path
  • Any other arrangements
  • Identify communication channels between the company and pentesting team
  • Confirm scope, approach and methodology
  • Agree to specific test cases and escalation paths

ISSAF Phase II: Assessment

This is the more useful phase – it’s relatively detailed and even describes some of the pentest tools to use. Targets are described as networks, hosts, applications, and databases. To some extent, it is out of date and not complete. We can use it as a starting point for the assessment phases in our pentest but not to govern the entire pentest framework.
ISSAF describes the individual assessment steps as ‘layers’ of pentesting:
  • Information gathering – use both technical and non-technical methods to find out relevant information about the target
  • Network mapping – identify all systems and resources within the target network
  • Vulnerability identification – detect vulnerabilities in the targets
  • Penetration – gain unauthorised access bypassing the security measures (get as wide access as possible)
  • Gaining access and privilege escalation – get administrator-level privileges on the target (root the box)
  • Enumerating further – obtain additional information about processes on the systems with the goal of exploiting the network/systems (moving laterally)
  • Compromise remote users/sites – exploit the trust relationships and communication between remote users and enterprise networks
  • Maintaining access – use covert channels, backdoors and rootkits to hide the hacker’s presence and provide continuous access to the system(s)
  • Covering tracks – eliminate all signs of compromise by hiding files, clearing logs, defeating integrity checks and defeating antivirus software

ISSAF targets

ISSAF also discusses the application of the layers (activities) on different types of targets. For each of these, the methodology provides some background information about the targets, their typical configurations, which attack tools to use and the assessment results which can be expected. The specific steps/examples in this section are out of date, so they will need to be adapted to the latest versions of the systems (OS, applications etc).
ISSAF targets: network security
  • Password security testing
  • Switch security assessment
  • Router security assessment
  • Antivirus system security assessment and management strategy
  • Storage Area Network (SAN) security
  • Firewall security assessment
  • Wireless Local Area Network (WLAN) security assessment
  • Intrusion detection/prevention system security assessment
  • Internet user security
  • Virtual Private Network (VPN) security assessment
  • AS 400 security
  • Lotus notes security
ISSAF targets: host security
  • Unix/Linux system security assessment
  • Windows systems security assessment
  • Novell Netware security assessment
  • Web server security assessment (not just the internet ones, but also the admin GUI for routers, etc)
ISSAF targets: application security
  • Web application security assessment (SQL injections)
  • Source code auditing
  • Binary auditing
ISSAF Targets: Database security
  • Remote enumeration of databases
  • Brute-forcing of databases
  • Process manipulation attack
  • End-to-end audit of databases
ISSAF targets: social engineering This section discusses mainly older and well-known techniques, though many of them are still quite effective.

ISSAF Phase III: Reporting

This phase discusses the communication channels and types of reports in the project. Two ways of reporting are proposed: verbal and written.
Verbal reporting is reserved only for critical and/or urgent issues. The verbal communication should be used in cases where issues are identified which require immediate attention and action. An example of that would be if during the penetration test we discover that the system is vulnerable and has been (or is currently being) compromised. A special case here is if we detect any illegal activities on the network and systems – in such cases, we might have to contact the legal authorities before (or even without) letting our client know.
The written report is the formal output of the penetration test. It could have different versions targeting different stakeholders in the organisation. It could also include information about the issues already discussed in the verbal report.
Under ISSAF, the written report would normally include:
  • Management summary
  • Project scope
  • Pentest tools used
  • Exploits used
  • Date/time of the test
  • All outputs of the tools and exploits
  • A list of identified vulnerabilities
  • Recommendations to mitigate identified vulnerabilities, sorted by priority

ISSAF Phase III: Clean-up and destroy artefacts

This final part of the framework is quite brief and focuses on removing any artefacts left over from the pentest. It leaves the pentester free to choose how to encrypt, sanitise, and destroy data created during the pentest.
All information that is created and/or stored on the tested systems should be removed from these systems. If this is for some reason not possible from a remote system, all these files (with their location) should be mentioned in the technical report so that the client technical staff will be able to remove these after the report has been received
(Open Information Systems Security Group 2006)
A PDF of the full Information System Security Assessment Framework (ISSAF) is available to download at the bottom of this step if you want to read more about this, but it is not compulsory.


Open Information Systems Security Group (2006) Information Systems Security Assessment Framework (ISSAF). OISSG
© Coventry University. CC BY-NC 4.0
This article is from the free online

Ethical Hacking: An Introduction

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education