Skip to main contentChat with us

ISO 27001 · Guide

Does ISO 27001 Require
Penetration Testing?

The words 'penetration test' appear nowhere in ISO/IEC 27001:2022 — not in the clauses, not in Annex A. What the standard requires is that you identify and treat technical vulnerabilities in line with your risks, and that you can defend the depth of testing you chose. Here is how that mechanism works, and what certification auditors actually ask for.

The honest answer is “not by name.” The standard mandates the outcome — vulnerabilities found and fixed — and leaves the method to your risk assessment. In practice, “we chose not to test” is far harder to defend than a pentest is to commission.

0times the standard says "penetration test"
A.8.8the control doing the work
500+audits delivered by TCSA

Plain-English guide · Risk-based, not checkbox · Last reviewed July 2026

No — ISO 27001 never uses the words “penetration test.” What it requires is that you identify and treat technical vulnerabilities in line with your risks. In practice, penetration testing is how most certified organizations satisfy that expectation, and certification auditors routinely ask what technical testing you performed. The mechanism is indirect but binding. Clause 6.1 of the standard — part of the mandatory clauses — makes your risk assessment and risk treatment plan the engine that selects controls. Annex A control A.8.8, Management of technical vulnerabilities, then requires that information about technical vulnerabilities be obtained in a timely fashion, your exposure evaluated, and appropriate measures taken. Neither says “pentest.” Both demand that vulnerabilities get found and fixed — and the depth of testing you use to find them is a risk-based decision you must be able to defend to an auditor, in writing, with a straight face.

The Mechanism

What the Standard Actually Requires

ISO 27001 is deliberately method-agnostic. Clause 6.1 requires you to assess your information security risks and select controls that treat them — documented in your Statement of Applicability. Four Annex A controls then carry the technical-testing expectation between them:

  • A.8.8 — Management of technical vulnerabilities. Information about technical vulnerabilities of systems in use must be obtained in a timely fashion, your exposure to them evaluated, and appropriate measures taken. This is the control doing the real work: it demands identification and remediation, but it does not name a method.
  • A.8.29 — Security testing in development and acceptance. Security testing processes must be defined and implemented in the development life cycle — so software you build gets tested before and as it ships, not just after it is deployed.
  • A.5.35 — Independent review of information security. Your approach to managing information security must be reviewed independently at planned intervals or when significant changes occur. Independent technical testing is one recognized way to give this control teeth.
  • A.8.16 — Monitoring activities. Networks, systems, and applications must be monitored for anomalous behaviour. Point-in-time testing and continuous monitoring are complements, not substitutes — auditors expect to see both ends covered.

Read together, these controls require a working pipeline: vulnerabilities discovered promptly, assessed against your exposure, fixed on a defensible timeline, and the whole approach reviewed independently. What none of them does is prescribe how deep the discovery must go. A quarterly authenticated scan and a full red-team engagement can both be “appropriate measures” — for different organizations. The depth is your call, made through the ISMS’s risk process — and because it is your call, the burden of justifying it is also yours.

The Audit

What Certification Auditors Look For

A certification auditor will not point to a clause that says “show me your pentest.” They will ask how you know your technical vulnerabilities — and then test whether your answer holds up. The evidence set that satisfies that question has become fairly standard:

  • A documented vulnerability-management process: what is in scope, who owns it, where vulnerability intelligence comes from, and how severity is rated.
  • A scanning cadence with remediation SLAs — and tickets or reports showing the SLAs are actually met, not just written down.
  • Evidence that internet-facing and business-critical systems received deeper testing than the rest of the estate — for most certified organizations, an annual penetration test report.
  • Retest evidence for critical and high findings: proof the fix was verified, not just that a ticket was closed.
  • Testing results feeding the risk register and risk treatment plan, so what the testers found visibly changed what the ISMS does next.

The conversation usually goes one level deeper than the paperwork. If your risk assessment rates your customer-facing platform as critical but your only evidence is an unauthenticated monthly scan, expect the auditor to probe the gap between the rating and the response. That gap — not the absence of a pentest as such — is what surfaces as a finding against A.8.8 or against your Clause 6.1 risk treatment. Auditors are assessing coherence: does the depth of testing match the risks you yourself wrote down?

In Practice

When a Pentest Is Effectively Unavoidable

“Risk-based” cuts both ways. It means the standard will not force a pentest on a five-person internal-tools shop — and it means several common situations make one practically mandatory:

  • Internet-facing products. If you run a SaaS platform, public APIs, or mobile apps, "we scanned but never had anyone attempt to exploit anything" is a hard position to defend in a risk-based audit.
  • Customer contractual commitments. Many enterprise contracts and security questionnaires require an annual penetration test outright. Once you have signed one, the pentest is a compliance obligation regardless of what ISO 27001 says.
  • High-risk profiles. Organizations handling payment data, health records, or other regulated information will struggle to argue that automated scanning alone matches their threat exposure.
  • Your own risk assessment says so. If your Clause 6.1 analysis rates external attack as a significant risk — as it almost always does for connected businesses — your treatment plan needs testing proportionate to that rating.

Notice the inversion. Under a prescriptive framework, the question is “which rule compels me to test?” Under ISO 27001, the question is “can I justify testing this little?” If the honest answer is no — and for anything internet-facing it usually is — the standard has effectively required a penetration test without ever using the words.

Scoping

Making the Test Count as Evidence

A penetration test only helps your certification if it connects back to the ISMS. A superb technical engagement that never touches the risk register is, from the auditor’s chair, an orphaned PDF. Five habits turn a pentest into audit evidence:

  • Scope from the risk assessment, not from habit. Internet-facing assets, systems holding sensitive data, and anything your risk register rates high go first; the asset inventory tells you what "everything internet-facing" actually means.
  • Match the test type to the asset: external network and web application or API testing for the perimeter, authenticated testing for multi-tenant products, internal or cloud-configuration review where the architecture warrants it.
  • Use testers independent of the people who built and run the systems — independence is what lets the same engagement double as evidence toward A.5.35’s independent-review expectation.
  • Insist on a report you can hand to an auditor: findings rated on a defined severity scale, mapped to affected assets, with remediation guidance — not a raw scanner export with a cover page.
  • Close the loop in writing: fix on your SLA, retest the criticals, record accepted risks with an owner and a review date, and update the risk register so the ISMS visibly learned something.

Timing matters too. If your certification or surveillance audit lands in the same quarter every year, schedule testing far enough ahead that criticals are remediated and retested before the auditor arrives — a report full of open critical findings dated two weeks before Stage 2 raises harder questions than no report at all would have.

Framework Contrast

How Other Frameworks Handle It

PCI DSS names the method. Requirement 11.4 explicitly mandates penetration testing: internal and external tests at least annually and after significant changes, performed under a defined methodology, with exploitable findings corrected and segmentation controls tested where they are relied on. If you handle payment card data, there is no risk assessment that argues you out of it.

Privacy laws name only the outcome. GDPR asks for “appropriate technical and organisational measures,” including a process for regularly testing and evaluating their effectiveness, and data-protection statutes such as the DPDP Act require “reasonable security safeguards” — with no method, cadence, or depth specified at all. What counts as appropriate gets argued about after the breach, not before it.

ISO 27001 sits in between. It is stricter than privacy law — an accredited auditor examines your vulnerability management every year and can raise nonconformities — but looser than PCI DSS, because the method remains yours to choose and defend. Outcome-required, method-flexible. That flexibility is a feature when your risk profile is genuinely modest, and no cover at all when it is not.

Recommendation

A Defensible Baseline

Among certified organizations, practice has converged on a recognizable baseline: an annual penetration test of internet-facing and critical systems, plus quarterly or continuous vulnerability scanning across the estate, with remediation SLAs tiered by severity and retests for critical findings. Scale it by risk in both directions — a high-change SaaS platform may warrant testing per major release, while a small organization with no internet-facing infrastructure may defensibly rely on scanning plus hardening reviews. Whatever you choose, write the rationale into your risk assessment and Statement of Applicability. The testing is only half the control; the documented, risk-based justification is the other half — and it is the half auditors read first.

If you want help closing the loop, Tranquility Cybersecurity delivers penetration testing (VAPT) services and prepares ISMS programs end to end — certification itself always comes from an accredited certification body, never from a consultant.

ISO 27001 & Penetration Testing — Common Questions

What the standard says, what auditors ask, and how often to test.

Does ISO 27001 require penetration testing?

Not by name — the words "penetration test" do not appear in ISO/IEC 27001:2022. The standard requires that technical vulnerabilities be identified in a timely fashion, evaluated, and remediated (Annex A control A.8.8), and that the depth of testing follow from your Clause 6.1 risk assessment. In practice, most certified organizations run penetration tests because it is the most defensible way to satisfy that requirement for internet-facing and critical systems.

What does control A.8.8 actually require?

A.8.8, Management of technical vulnerabilities, requires three things: obtain information about technical vulnerabilities of the systems you use in a timely fashion, evaluate your exposure to them, and take appropriate measures to address the risk. That translates into an asset-aware vulnerability-management process — scanning, vulnerability intelligence, severity rating, remediation SLAs, and managed exceptions. It names no specific tool, test type, or frequency; those choices are yours to make and defend.

Will the certification auditor ask for a pentest report?

Very often, yes — especially if you run internet-facing systems. Strictly, the auditor asks how you identify and remediate technical vulnerabilities, and a recent penetration test report is the strongest single answer. If you have no deeper testing on systems your own risk assessment rates as critical, expect probing questions, and potentially a nonconformity against A.8.8 or your risk treatment — not because a pentest is mandated, but because your evidence does not match your stated risks.

How often should we pentest for ISO 27001?

The standard sets no frequency — cadence is a risk-based decision. The common baseline among certified organizations is an annual penetration test of internet-facing and critical systems, plus testing after significant architectural changes. Higher-risk or high-change environments (SaaS platforms shipping continuously, fintech, health data) often test more frequently or per major release. Whatever cadence you choose, document the reasoning in your risk assessment so an auditor can follow it.

Is vulnerability scanning enough, or do we need a full pentest?

Scanning alone can be defensible for low-risk, internal-only estates — if your risk assessment genuinely supports that conclusion. But scanners find known, signature-matched issues; they do not chain findings, test business logic, or validate exploitability the way a human tester does. For internet-facing systems, most auditors expect evidence of deeper, manual testing on top of a scanning cadence. The practical pairing is continuous or quarterly scanning plus an annual penetration test.

How is ISO 27001 different from PCI DSS on penetration testing?

PCI DSS mandates penetration testing explicitly: Requirement 11.4 requires internal and external tests at least annually and after significant changes, under a defined methodology, with exploitable findings corrected. ISO 27001 mandates the outcome — technical vulnerabilities identified and treated — and leaves the method to your risk assessment. If you are subject to both, the PCI DSS testing program typically becomes part of the evidence that satisfies ISO 27001 control A.8.8.

Related reading: the ISO 27001 hub, the A.8.8 control guide (and all 93 Annex A controls), the mandatory clause-by-clause requirements, what an ISMS actually is, and what VAPT costs. More terms in the compliance glossary.

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: July 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations