Skip to content

Compliance

ISO 27001

ISO/IEC 27001 Information Security Management

What we assess

What your ISO 27001 test covers

We test the systems inside your ISMS scope and map every finding to the Annex A controls, giving your auditor evidence of control effectiveness rather than a raw scan.

Technical Vulnerability Management

The Annex A 8.8 control auditors most often want penetration testing to evidence.

We test for

  • Known-vulnerability identification
  • Patch and update verification
  • Exploitability confirmation
  • Remediation and retest evidence

Access Control & Identity

Whether access to in-scope systems is restricted the way your ISMS says it is.

We test for

  • Access control and least privilege
  • Authentication and MFA
  • Privileged access management
  • Account lifecycle checks

Network & Infrastructure

The perimeter and internal infrastructure supporting your ISMS scope.

We test for

  • External perimeter testing
  • Internal segmentation
  • Secure configuration review
  • Exposed service testing

Applications & Data

The applications and data flows your scope statement covers.

We test for

  • Application security testing
  • Encryption in transit and at rest
  • Data handling and leakage
  • Logging and monitoring coverage

How it works

How your engagement runs

From scope through the final retest, your team stays in the loop at every step, with findings tracked live in our platform.

  1. 01

    Scope the ISMS

    We scope the systems in your ISMS and align testing to the Annex A controls.

  2. 02

    Test controls

    We test vulnerability management, access, and infrastructure security.

  3. 03

    Annex A report

    Findings mapped to the relevant Annex A controls, with an executive summary.

  4. 04

    Fix & retest

    Close the findings, then a free retest well ahead of your certification audit.

FAQ

Frequently asked questions

What teams most often ask before ISO 27001 testing.

Still have questions?
01Does ISO 27001 require penetration testing?

The standard does not name penetration testing outright, but Annex A control 8.8 requires managing technical vulnerabilities and your ISMS must prove its controls work. Certification and surveillance auditors routinely expect a penetration test as that evidence, and it is the cleanest way to provide it.

02When should we test relative to our audit?

Early enough that findings can be remediated and retested before your certification or surveillance audit, typically one to three months ahead. We build the timeline around your audit date and most clients then test annually to keep evidence current.

03Will the report satisfy our certification auditor?

Yes. Findings are mapped to the relevant Annex A controls with an executive summary for your management review, so the report drops into your ISMS evidence rather than needing translation.

Ready to test your defenses?

Talk to our team about what your ISO 27001 compliance requires.

Get a Fixed-Scope Quote

Tell us what you need tested. We reply within one business day.