Does ISO 27001 require penetration testing?

ISO 27001:2022 Annex A.8.8 (management of technical vulnerabilities) and A.8.29 (security testing in development) effectively require periodic technical testing of the ISMS scope. Certification body auditors commonly expect penetration test evidence to verify that vulnerability management controls are operating effectively.

Which ISO 27001 controls does a pentest address?

Primarily A.8.8 (technical vulnerability management) and A.8.29 (security testing). Supporting controls include A.8.22 (network segmentation), A.8.3 (information access restriction), and A.8.7 (protection against malware). Each finding in our report maps to the relevant Annex A control.

What is the difference between ISO 27001:2013 and ISO 27001:2022 for pentest?

The 2022 revision restructured Annex A. The old A.12.6.1 (management of technical vulnerabilities) became A.8.8. The old A.14.2.8 (system security testing) became A.8.29. The substance is similar but the control numbering changed. If your ISMS was certified under 2013, you have until October 2025 to transition to the 2022 standard — your next surveillance audit will likely check for this.

How often does ISO 27001 expect a pentest?

There is no mandated interval. Most certification bodies and the standard itself call for 'periodic' review under A.8.8. Annual is the industry norm. More frequent testing is expected after significant changes to the ISMS scope: new services, new infrastructure, acquisitions, or changes in threat landscape.

pentest · compliance

ISO 27001 penetration testing for certification audits.

Technical testing of your ISMS scope under ISO 27001:2022. Findings mapped to Annex A controls. Evidence your certification body accepts for A.8.8 technical vulnerability management and A.8.29 security testing in development.

Book a scoping call All pentest types

01. the controls

Which Annex A controls require testing.

ISO 27001:2022 restructured Annex A from 114 controls to 93. Several directly require or strongly imply periodic penetration testing of the ISMS scope.

A.8.8 — Technical vulnerability management

The primary driver. Requires timely identification, evaluation, and treatment of technical vulnerabilities in information systems. Certification bodies expect evidence of active technical assessment — not just a policy that says vulnerabilities should be managed.

A.8.29 — Security testing in development

Security testing must be defined and implemented for new information systems and significant changes. For most ISMS scopes that include a product or platform, penetration testing before significant releases satisfies this control directly.

A.8.22 — Network segmentation

Networks must be segmented according to information classification. The pentest validates that segmentation controls actually work — not just that network diagrams show the right topology. Relevant for any ISMS scope that includes on-premise or hybrid infrastructure.

A.8.3 — Information access restriction

Access to information and systems must be restricted in accordance with the access control policy. Testing authentication, authorization, and privilege escalation paths produces direct evidence for this control. Auditors ask for it at surveillance audits.

02. ISMS scope alignment

How scope gets aligned.

ISO 27001 pentest scope follows your ISMS scope statement, not a generic asset inventory. This matters to the certification body.

Review your ISMS scope statement We read your scope statement and Statement of Applicability before scoping the engagement. The pentest must cover the systems named in the ISMS scope — not a subset chosen for convenience. Gaps between ISMS scope and pentest scope are the most common finding certification body auditors raise.
Map the attack surface to ISMS boundaries For each system in ISMS scope, we map the external and internal attack surface. Applications, APIs, network perimeter, cloud resources, admin access. What is in scope for certification is in scope for testing.
Test with methodology cited in SoA If your Statement of Applicability cites a testing methodology or standard, the pentest report cites the same one. PTES and OWASP are the most common. Certification bodies compare the report methodology to the SoA — mismatches generate nonconformities.
Map findings to Annex A controls Each finding in the report maps to the relevant Annex A control. A broken access control finding maps to A.8.3. An unpatched service maps to A.8.8. A TLS misconfiguration maps to A.8.24. The auditor sees both the technical evidence and the control it satisfies in the same document.
Retest evidence for nonconformity closure If a finding triggers a nonconformity at audit, the retest report provides the closure evidence. We format it to support a corrective action plan: root cause, remediation taken, verification test, result. Certification bodies accept this format for nonconformity closure without additional rounds.

03. 2013 vs 2022

The 2022 transition and what changed.

Organizations certified under ISO 27001:2013 must transition to the 2022 standard. The October 2025 deadline has passed for many — here is what changed for technical testing.

Control renumbering

A.12.6.1 (management of technical vulnerabilities) became A.8.8. A.14.2.8 (system security testing) became A.8.29. The substance is similar but the numbering in your SoA and pentest reports must now reference 2022 controls for transition audits.

New controls relevant to technical testing

ISO 27001:2022 added 11 new controls. A.8.25 (secure development lifecycle), A.8.28 (secure coding), and A.8.29 (security testing in development) are new and directly relevant to how a pentest fits your ISMS. If your SoA doesn't address these, your next audit will flag it.

Threat intelligence as input

New control A.5.7 (threat intelligence) requires information about threats to be collected and analyzed. Our engagement notes include threat context relevant to the vulnerabilities we find — which feeds your A.5.7 evidence directly.

Cloud security coverage

New control A.5.23 (information security for cloud services) covers cloud-specific risks. If your ISMS scope includes cloud infrastructure, the pentest must include cloud configuration and IAM testing to address this control. We include it by default for cloud-hosted systems.

04. faq

ISO 27001 pentest questions.

What certification candidates ask before the engagement. See compliance gap analysis if you need a full ISMS readiness review.

Does ISO 27001 require a penetration test?

Not by that name. But Annex A.8.8 requires active technical vulnerability management and A.8.29 requires security testing for new and changed systems. Certification body auditors consistently expect penetration test evidence to verify these controls are operating. Organisations that present only scanner output typically receive an observation or minor nonconformity.

How often does the standard expect a pentest?

Annual is the industry norm and what most certification bodies look for at surveillance audits. More frequently after significant changes: new product features, new cloud infrastructure, new third-party integrations, or following a security incident.

We're transitioning from ISO 27001:2013. Does the pentest report need to change?

The findings format doesn't need to change, but the control mapping in the report should reference 2022 Annex A numbers (A.8.8, A.8.29) not the 2013 numbers (A.12.6.1, A.14.2.8). If you have an existing report using 2013 references, we can produce a mapping addendum or reformat the control citations at low cost.

Can we run a gap analysis and pentest together?

Yes, and for initial certifications it is efficient to do both. The compliance gap analysis maps all 93 Annex A controls against your current state and produces a prioritized remediation roadmap. The pentest covers the technical controls with active testing. Both deliverables go to the certification body.

What if a finding is a nonconformity at the certification audit?

The retest report provides the closure evidence. We format it to support a corrective action plan: finding description, root cause, remediation steps, verification test result. Certification bodies accept this format for major and minor nonconformity closure. We time the retest to your audit corrective action deadline.

Pentest for your ISO 27001 audit?

Scoping call covers your ISMS scope, SoA, certification body, and audit timeline. 30 minutes. Free. No NDA required for the first call.

Book a scoping call Email an engineer Back to penetration testing