Compliance
ISO 27001
ISO/IEC 27001 Information Security Management
What we assess
What your
ISO 27001 test covers
We test the systems inside your ISMS scope and map every finding to the Annex A controls, giving your auditor evidence of control effectiveness rather than a raw scan.
Technical Vulnerability Management
The Annex A 8.8 control auditors most often want penetration testing to evidence.
We test for
- Known-vulnerability identification
- Patch and update verification
- Exploitability confirmation
- Remediation and retest evidence
Access Control & Identity
Whether access to in-scope systems is restricted the way your ISMS says it is.
We test for
- Access control and least privilege
- Authentication and MFA
- Privileged access management
- Account lifecycle checks
Network & Infrastructure
The perimeter and internal infrastructure supporting your ISMS scope.
We test for
- External perimeter testing
- Internal segmentation
- Secure configuration review
- Exposed service testing
Applications & Data
The applications and data flows your scope statement covers.
We test for
- Application security testing
- Encryption in transit and at rest
- Data handling and leakage
- Logging and monitoring coverage
How it works
How your engagement runs
From scope through the final retest, your team stays in the loop at every step,
with findings tracked live in our platform.
- 01
Scope the ISMS
We scope the systems in your ISMS and align testing to the Annex A controls.
- 02
Test controls
We test vulnerability management, access, and infrastructure security.
- 03
Annex A report
Findings mapped to the relevant Annex A controls, with an executive summary.
- 04
Fix & retest
Close the findings, then a free retest well ahead of your certification audit.
Resources
Field notes from the offensive side
Offense in Depth in Red Team Operations
Defense in depth layers protection. Offense in depth layers attack paths so a red team still reaches its objective when one route fails. Here is how it works.
Security Between Penetration Tests
An annual pentest covers two weeks and leaves fifty uncovered. Here is how to secure the rest of the year without waiting for the next scheduled engagement.
The Limits of AI in Penetration Testing
AI is changing penetration testing, but it will not replace human testers. Here is what it does well, where it falls short, and why judgment still wins.
Want to see a real report first?
Request a redacted sample report before you scope an engagement.
FAQ
Frequently asked questions
What teams most often ask before
ISO 27001 testing.
01Does ISO 27001 require penetration testing?
The standard does not name penetration testing outright, but Annex A control 8.8 requires managing technical vulnerabilities and your ISMS must prove its controls work. Certification and surveillance auditors routinely expect a penetration test as that evidence, and it is the cleanest way to provide it.
02When should we test relative to our audit?
Early enough that findings can be remediated and retested before your certification or surveillance audit, typically one to three months ahead. We build the timeline around your audit date and most clients then test annually to keep evidence current.
03Will the report satisfy our certification auditor?
Yes. Findings are mapped to the relevant Annex A controls with an executive summary for your management review, so the report drops into your ISMS evidence rather than needing translation.
Ready to test your defenses?
Talk to our team about what your ISO 27001 compliance requires.
Get a Fixed-Scope Quote
Tell us what you need tested. We reply within one business day.
Thanks, we've received your message.
We'll be in touch shortly.