Certification bodies expect current evidence
Programs without a recent pentest face material findings at surveillance. An out-of-date test is treated as a gap in the Annex A 8.8 vulnerability-management control.
ISO 27001 surveillance is approaching and your certification body expects current pentest evidence.
Penetration testing aligned to ISO/IEC 27001:2022 — findings mapped to Annex A 8.8, 8.29, and 8.34 against your Statement of Applicability, sequenced to your certification window.
What is at stake
A stale or generically-framed pentest can produce a finding at your surveillance audit.
Generic reports are not enough
A report that does not reference your Annex A controls or Statement of Applicability gives the certification body nothing to close against.
Customer questionnaires are catching up
Enterprise buyers increasingly ask for current pentest evidence tied to the ISO 27001:2022 revision. A 2013-era or generic report does not answer the question.
How we help — what we cover
Five Annex A expectations your certification body will check.
We scope and report against the specific controls your ISMS marks applicable — so evidence maps directly to your Statement of Applicability, not a generic framework summary.
Annex A 8.8 — Management of technical vulnerabilities
Manual penetration testing is the primary evidence artifact for the vulnerability evaluation step under 8.8.
Annex A 8.29 — Security testing in development and acceptance
Security testing processes defined and implemented in the development lifecycle. Pentests on staged releases are the canonical acceptance test.
Annex A 8.34 — Protection during audit testing
Audit and testing activities on operational systems are planned to minimize disruption. We document rules of engagement that map to this control.
Statement of Applicability alignment
Findings reference the controls you marked applicable in your SoA, with notes where a finding affects applicability or effectiveness.
Three-year certification cycle
Initial certification, two annual surveillance audits, recertification in year three. A current pentest is expected at each touchpoint.
How an engagement works
Four phases, every ISO 27001 engagement.
- 01
Scope to your ISMS
We map your ISMS scope and Statement of Applicability to the surfaces we will test, with rules of engagement satisfying Annex A 8.34.
- 02
Manual testing
Authenticated and unauthenticated testing across in-scope assets. OWASP-aligned methodology, senior testers throughout.
- 03
Annex A mapping
Each finding tagged to the specific 2022 Annex A controls it touches, with notes on SoA effectiveness implications.
- 04
Retest and reissue
After fixes we retest and reissue so the version your certification body sees reflects post-fix state.
Surveillance audit on the horizon?
A quick scoping call maps your ISMS scope to a test plan and locks in a date that fits your certification window.
Get a straight answer Control mapping in the report
How findings tie to Annex A controls.
Every finding is tagged to the specific 2022 Annex A controls it touches, with notes on Statement of Applicability effectiveness where relevant.
| Example finding | Mapped to |
|---|---|
| Broken authorization between application roles | A.5.15 Access control; A.8.3 Information access restriction |
| Weak credential storage in an internal service | A.5.17 Authentication information; A.8.5 Secure authentication |
| Outdated dependency with a known CVE in production | A.8.8 Management of technical vulnerabilities |
| Insecure default in a managed cloud service configuration | A.8.9 Configuration management |
| Privileged access not logged or monitored | A.8.15 Logging; A.8.16 Monitoring activities |
| Test environment shares credentials with production | A.8.31 Separation of development, test, and production |
Each finding also carries severity, CVSS, reproduction steps, evidence, and a paste-ready remediation — the Annex A mapping for your certification body, the fix for your engineering team.
Adjacent engagements
ISO 27001 pentests pair with these.
Compliance pentest index →
See coverage across SOC 2, ISO 27001, PCI DSS, HIPAA, and GLBA in one place.
SOC 2 pentest →
Pair ISO 27001 with SOC 2 on a single engagement.
Authenticated testing →
Role-matrix coverage for the access-control controls in Annex A.
Vulnerability scanning →
Continuous evidence for Annex A 8.8 between surveillance audits.
Further reading
Background from our team.
FAQ
ISO 27001 pentest — common questions
Is penetration testing mandatory for ISO 27001?
The 2022 revision moved technical security testing into Annex A 8.29 and reinforced vulnerability-management expectations in 8.8. Certification bodies treat a current pentest as standard evidence; programs without one face material findings at surveillance audits.
How do you handle the 2013 to 2022 transition?
The pentest work is the same; the report's mapping section references the 2022 Annex A control IDs you are migrating to. If you are still on 2013, this is the right time to align.
How does this differ from a SOC 2 pentest?
The underlying testing is the same. SOC 2 reports map to Common Criteria; ISO 27001 reports map to Annex A controls and your Statement of Applicability. We can produce one engagement that maps to both.
Will this satisfy our surveillance audit?
Yes — provided the pentest is current at audit time and reported findings have been remediated. We coordinate retesting and report reissue with your surveillance window so the version your auditor sees reflects post-fix state.
Want a credible answer when a customer, auditor, or your board asks how secure you are?
A quick scoping call with the senior tester who would run your engagement. No slides, no pitch — we look at what you have, tell you what we would test first, and give you a fixed scope, price, and date.