ISO 27001 penetration testing

ISO 27001 pentest your certification body accepts.

CREST-accredited researchers test against ISO 27001:2022 Annex A controls (A.8.8 technical vulnerability management, A.8.29 secure development, A.5.7 threat intelligence). Two weeks to a report your certification body and surveillance auditor accept.

GET YOUR SCOPING CALL

Talk to a security expert

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

Why this matters

Most ISO 27001 pentest reports do not survive the surveillance audit.

  • Templated reports tick A.8.8 box without proving the technical vulnerability management process worked. Surveillance auditors flag the gap.

  • Findings without tagging to specific Annex A controls force your ISMS team to remap them by hand before the certification body accepts it.

  • Self-attested or scanner-only reports do not satisfy A.8.8 evidence requirements at certification renewal.

Here is what we ship.

Why teams pick us

Annex A-tagged evidence, not generic CVE lists.

  • ISO 27001:2022 mapped

    Findings tagged to A.8.8, A.8.29, A.5.7, and surrounding controls. Certification body accepts directly.

  • ISMS-scope respected

    We test what is in your ISMS scope statement, not adjacent assets. Scope drift avoided.

  • Surveillance audit defensible

    Documented re-test status, severity rationale, and remediation pathway, ready for the auditor file.

How it works

From ISMS scope to report in two to three weeks.

  1. Scope to the ISMS statement

    Tell us the ISMS scope and Annex A controls in your Statement of Applicability.

  2. Researchers test the controls

    Technical vulnerability management, secure development, threat intelligence, and the surrounding A.8 controls.

  3. Report your certification body accepts

    Findings tagged to Annex A. Auditor evidence file ready.

Research ledger,

Coordinated disclosures published by SL7 research.

The same researchers run your engagement.

Full advisories index

What founders say

Thank you for being our pentest partners. Our user base is safer because of y'all.
Vinay Hiremath

Vinay Hiremath

Co-founder, Loom

View tweet

Common questions

What buyers ask before they sign.

Does this satisfy A.8.8 evidence?
Yes. Independent pentest is the expected evidence for A.8.8 technical vulnerability management.
Is the report accepted by certification bodies?
Yes. Reports referenced by BSI, SGS, DNV, and TÜV across customer audits.
How often is the pentest required?
Annually for surveillance, plus after significant change. Many ISMS owners run twice a year ahead of certification cycles.
Will you sign an auditor letter?
Yes. One-line letter on letterhead, signed by the lead pentester.
Re-test included?
Yes. Criticals re-tested inside the same engagement.

Ready to ship the ISO 27001 surveillance audit?

20-minute scoping call with the lead pentester. ISMS scope, Annex A controls, and the certification-body file.

CREST · CERT-In · SOC 2 · ISO 27001