Standard Pentest Logo
Standard Pentest

ISO 27001 Penetration Testing

ISO 27001 does not list penetration testing as a control by name, but Annex A.12.6.1 (Management of technical vulnerabilities) and A.18.2.3 (Technical compliance review) are routinely satisfied with a penetration test, and most certification bodies expect to see one. StandardPentest delivers an ISO-aligned penetration test with audit-ready evidence and a signed attestation letter in 24 hours.

What We Test

  • External attack surface against in-scope ISMS assets
  • Internal segmentation between ISMS-scoped systems and out-of-scope networks
  • Application-layer testing of in-scope web applications and APIs
  • Authentication, authorization, and access control across ISMS users and roles
  • Vulnerability management coverage gaps that A.12.6.1 expects to find
  • Detection and response coverage for in-scope systems
  • Cryptographic posture against A.10 controls (key management, TLS, data at rest)
  • Supplier and integration risks against A.15 controls

Our Methodology

Every ISO 27001 engagement is scoped against your Statement of Applicability (SoA) and ISMS scope document. The workflow runs in four phases: scope validation against the SoA and asset inventory, automated and manual vulnerability discovery aligned to ISO 27001:2022 Annex A and ISO 27002:2022 guidance, exploitation under strict rules of engagement, and reporting that maps every finding to specific Annex A controls. We coordinate with your certification body or internal auditor on request.

What You Get

  • An executive summary aligned to your ISMS scope and SoA
  • Per-finding technical detail with CVSS 3.1 scoring, evidence, and remediation guidance
  • Direct mapping of every finding to specific Annex A controls (A.5 through A.18 in 2013 numbering, or A.5 through A.8 in 2022 numbering)
  • An attestation letter for certification body and customer use
  • Vulnerability management evidence supporting A.12.6.1 / 8.8 and technical compliance evidence supporting A.18.2.3 / 5.36
  • A free retest of remediated findings within 90 days

Frequently Asked Questions

ISO 27001:2013 or 2022: do you support both?

Yes. Our reports map findings to whichever version your ISMS is currently certified under, and we can produce a transition-ready report mapping to both if you are migrating.

Will your test satisfy our certification body?

Penetration testing is not a mandated ISO control, but virtually every certification body expects to see evidence of technical vulnerability management and compliance review. Our deliverables provide that evidence directly. We adjust on request before final submission.

We also have SOC 2 / HIPAA / PCI: can one test cover them?

Often, yes. Where the in-scope systems overlap, a single engagement with a multi-framework report saves significant audit-cycle time. We map the same findings against each framework you need.

How does this fit with our ISMS internal audit?

Penetration testing is a common input to A.18.2.1 / 5.35 internal audit and A.9.4 / 8.3 management review. Our report is structured so it can be referenced directly by your ISMS internal auditor and management review minutes.

Schedule a Pentest

Tell us your ISMS scope and certification body and we'll align the engagement to your audit cycle.