A.8.8 and A.8.29. Expected, not mandated. Evidence either way.
ISO 27001:2022 does not literally mandate a penetration test. The standard refers to "security testing" and "technical vulnerability management" under Annex A controls A.8.8 and A.8.29. Every certification body we have worked with expects pen testing as the normal evidence. Cyber Node delivers that evidence in a form your certification body and your internal auditor will accept without follow-up questions.
What the standard says
The 2022 edition reorganised Annex A from 114 controls into 93 controls across four themes. Below are the controls a pen test directly evidences, in the standard's own language.
A.8.8 Management of technical vulnerabilities
"Information about technical vulnerabilities of information systems in use shall be obtained, the organisation's exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken." A pen test is the standard input to this control, alongside vulnerability scanning and threat intelligence.
A.8.29 Security testing in development and acceptance
"Security testing processes shall be defined and implemented in the development life cycle." For web applications and APIs, this is where pen test evidence lands directly.
A.8.25 and A.8.26 Secure development
"Rules for the secure development of software and systems shall be established and applied." A pen test validates whether those rules are actually followed in production code, not just written into policy.
A.5.23 Information security for use of cloud services
Where in scope, cloud configuration testing evidences this control. Common for AU organisations running on AWS, Azure, or GCP.
A.5.7 Threat intelligence, A.8.16 Monitoring
Indirectly supported. Pen test activity exercises your detection and response. Absence of detection is a finding; presence is evidence.
What we deliver, what we refer
In scope for Cyber Node
Application and API penetration testing (A.8.29)
Infrastructure and network testing (A.8.8)
Cloud configuration review (A.5.23)
Findings mapped to specific Annex A controls
Coordination with your certification body
Free retest within 60 days
Out of scope, we refer
ISMS build and Statement of Applicability
Vanta, Drata, or specialist GRC consultancies.
Risk assessment and risk treatment plan
GRC consultancies.
Stage 1 and Stage 2 certification audit
Accredited certification bodies. We recommend a shortlist.
Internal audit function
Independent internal auditors or partner firms.
Policy and procedure authoring
GRC consultancies and platform templates.
ISO 27001 FAQ
The ISO 27001:2022 standard does not literally mandate a pen test. Controls A.8.8 (management of technical vulnerabilities) and A.8.29 (security testing in development and acceptance) are the closest explicit references. Certification bodies and external auditors expect a pen test as the normal evidence for these controls.
A.8.8, A.8.25, A.8.26, A.8.29 most directly. Indirectly it supports A.5.7 (threat intelligence), A.5.24 to A.5.30 (incident management), A.8.16 (monitoring), and A.5.23 (information security for use of cloud services) depending on scope.
Annually, plus after any significant change to applications or infrastructure that is within the ISMS scope. This frequency is what most certification bodies expect to see in the internal audit record.
Yes. Cyber Node delivers the pen test component ahead of Stage 2 audits and during surveillance audit cycles. We do not perform the Stage 1 or Stage 2 audits themselves; those are performed by accredited certification bodies, and we refer.
We can advise on the pen test and technical scanning inputs into the process, and on how findings flow through risk treatment. We do not write the ISMS procedures themselves; that work sits with GRC consultancies or platforms like Vanta and Drata.