ISO 27001 · Annex A · Penetration Testing

ISO 27001 pentest:
What your auditor wants to see – we deliver it

Anyone seeking ISO 27001 certification or renewing their certificate will need a penetration test sooner or later. Not because it would be nice – but because your auditor expects it. We deliver exactly that: a pentest report that addresses Annex A controls and holds up in any audit.

Request ISO 27001 pentest now View Annex A mapping
Annex A-compliant reporting Audit-proof report format Free initial consultation
What you get
Audit-proof test report
Our report is explicitly designed for ISO 27001 audits – with mapping to the relevant Annex A controls your auditor will examine.
Clear Annex A mapping
Every finding is mapped to the relevant ISO 27001 controls – A.8.8, A.8.11, A.5.15 and others. No interpretation work for your auditor.
Flexible scope
Whether initial certification, recertification, or an event-driven test after changes – we adapt the scope to your certification status.
Fast delivery
We know certification deadlines do not wait. On request we prioritise your project and deliver the report on time.
Our ISO 27001 pentest report is structured so that it provides your auditor with all necessary evidence – without follow-up questions.
The auditor perspective

What your ISO 27001 auditor actually expects

ISO 27001 does not explicitly require a penetration test – but every experienced auditor will expect one as evidence for several Annex A controls. Going into an audit without a current pentest report is a problem.

Show me how you systematically identify and remediate vulnerabilities in your environment. A penetration test is the appropriate instrument for this.
Typical statement from an ISO 27001 auditor in a Stage 2 audit

Annex A of ISO 27001 contains 93 controls. Several of them are difficult to evidence without a penetration test – particularly around vulnerability management, access controls, and network security. A missing or outdated pentest report is one of the most common reasons for findings and non-conformities in the audit.

No explicit mandatory document
ISO 27001 does not require a pentest – but controls A.8.8 and A.8.11 are nearly impossible to evidence without one.
Currency is decisive
A three-year-old pentest report will not convince any auditor. Most accept a maximum of 12 months.
Scope must match the ISMS
The pentest must cover the ISMS scope – not just test any system and hope it is sufficient.
Who is this relevant for?

ISO 27001 – for every organisation that needs to demonstrate security

Unlike NIS2 or KRITIS, ISO 27001 applies across all industries. Certification is pursued by those who choose it – or those who must, because customers or clients require it.

🏢SaaS & cloud providers
🏥Managed service providers
💻Government & public entities
📊Financial services & fintechs
💰Healthcare & medical technology
Defence & aerospace
🏭Mid-market companies with enterprise clients
🔬Research institutions & universities

Most common trigger: a major client sets ISO 27001 certification as a supplier requirement. After that, the clock is ticking.

Annex A mapping

ISO 27001 controls covered by our pentest

Annex A of ISO 27001:2022 contains 93 controls across four categories. A penetration test is the most direct evidence instrument for these six:

Control Name How our pentest helps Module
A.8.8Vulnerability managementWe systematically identify exploitable vulnerabilities – this is the most direct evidence for A.8.8.All modules
A.8.11Data masking & system hardeningWe test whether sensitive systems are adequately hardened and whether data access is correctly restricted.Infra, AD
A.5.15Access controlWe test whether access controls actually work in practice – not just exist on paper.AD, Physical
A.8.20Network securitySegmentation, firewall rules, exposed services: we test the network against real attack patterns.Infrastructure
A.7.2Physical access controlsFor organisations with physical ISMS assets, we test whether access to critical areas is genuinely controlled.Physical
A.5.37Documented operating proceduresOur final report documents methodology, scope, and findings in a structured way – as evidence for A.5.37.All modules
Our approach

ISO 27001 pentest in 5 steps

Aligned with your certification status, your audit date, and the relevant Annex A controls.

SCHRITT 01

ISMS scope analysis

We analyse your ISMS scope and clarify which systems, processes, and locations fall within the certification boundary – so the pentest covers exactly what your auditor examines.

SCHRITT 02

Annex A mapping & scoping

Based on your ISMS, we define the pentest scope and map it to the relevant Annex A controls. No extra work for you at the audit.

SCHRITT 03

Test execution

Manual penetration tests on agreed systems and areas. We document every step completely – auditors value traceability.

SCHRITT 04

Risk assessment & prioritisation

Every finding is assessed by severity and ISMS relevance. Critical findings are communicated immediately – so you can act before the audit.

SCHRITT 05

ISO 27001-compliant final report

Complete report with Annex A mapping, management summary, and technical appendix. Structured so your auditor finds all answers – without follow-up questions.

50,000+
ISO 27001-certified organisations worldwide
93
Annex A controls in ISO 27001:2022
6
Controls directly evidenced by pentest
12 mo.
Maximum report age accepted by most auditors
What our ISO 27001 report contains
Explicit mapping to relevant Annex A controls
Management summary for ISMS managers and board
Technical appendix with complete methodology documentation
Prioritised remediation plan by severity and ISMS relevance
Re-test offer after remediation of findings before the audit
Relevant pentest modules

Which tests do you need for ISO 27001?

The right scope depends on your ISMS. These three modules cover the most common Annex A requirements.

Infrastructure & network

The core module for ISO 27001: vulnerability scans, network segmentation, exposed services, firewall rules. Directly relevant for A.8.8, A.8.20, and A.8.11.

Learn more

Physical pentest

For organisations with physical ISMS assets: we test whether access controls for server rooms, data centres, and sensitive areas actually work (A.7.2).

Learn more

Active Directory & access control

Access control is one of the most common audit topics. We test whether permissions, role concepts, and privileged accounts meet the ISO 27001 requirement A.5.15.

Learn more
Frequently asked questions

ISO 27001 & penetration testing – your questions

ISO 27001 does not explicitly require a penetration test. But the standard requires evidence that vulnerabilities are systematically identified and remediated (A.8.8) and that access controls are effective (A.5.15). A penetration test is the most direct and convincing instrument for this evidence. In practice, nearly all experienced auditors will request a current pentest report – at the latest in the Stage 2 audit.
This depends on the auditor and the certification body – there is no universal rule. In practice, most auditors accept reports that are no older than 12 months. If there have been significant changes to the IT infrastructure since the last test, a new report is expected regardless of age. We recommend conducting the pentest at least six weeks before the planned audit date to leave sufficient time for remediation.
The pentest scope must match the ISMS scope. There is no benefit in testing an arbitrary system if your auditor has your core ISMS infrastructure in focus. We jointly analyse your ISMS scope and define a pentest scope that covers exactly what is needed – leaving no open questions for your auditor.
Technically yes – but we advise against it. Ideally, conduct the pentest at least six weeks before the audit. This gives you time to remediate critical findings and document this in the report. A report with open critical findings is a burden in the audit. A report with remediated findings and a re-test confirmation is a strong argument.
That is exactly the point of the pentest – and no reason to panic. Knowing findings before the audit is better than not knowing them. We communicate critical findings immediately after discovery so you can act. After remediation, we conduct a re-test on request and document the successful fix in the report. This shows your auditor a working improvement cycle – exactly what ISO 27001 requires.
The methods are technically identical. The difference lies in reporting and preparation. Our ISO 27001 pentest begins with an analysis of your ISMS scope, maps the pentest scope to the relevant Annex A controls, and delivers a report explicitly aligned with the evidence requirements of the standard. A standard pentest report without this mapping creates unnecessary extra work at the audit.

Ready for your ISO 27001 pentest?

In 30 minutes we discuss your ISMS scope, clarify which Annex A controls need to be covered, and you receive a no-obligation quote – at no cost.

Book your free initial consultation hello@access-granted.de

About Access Granted

Address
Albert-Einstein-Straße 1, 95028 Hof
E-Mail
hello@access-granted.de
Phone
+49 9281 5918506

Useful Links

Pentest Portfolio

Think like an Attacker, Act as a Partner

© AccessGranted X GmbH