ISO 27001 Pentest Requirements: What Auditors Actually Check

ISO 27001 does not mandate a pentest with the word 'pentest' anywhere. The expectation lives in Annex A control 8.8 (technical vulnerability management) and 8.29 (security testing in development and acceptance).

In practice, every certifying body we work with expects an independent technical assessment of internet-facing systems at least annually, plus testing after significant change. Self-scans are not enough.

Scope must cover the systems within your ISMS boundary that process or affect confidentiality, integrity or availability of in-scope information. For most SaaS this means the production app, the auth surface, and key internal admin tools.

Frequency: annually as a floor, plus after major architectural changes (new auth provider, cloud migration, M&A). Quarterly automated scans complement but do not replace manual testing.

A scope letter, methodology summary, finding severity matrix, remediation plan with owners and dates, and proof of retest are the artefacts that close the control cleanly.

A polished PDF report with the testers' credentials, CVSS scores and reproduction steps is the gold standard. Bullet points in a Notion page are not.

Auditors do not expect zero findings — they expect a managed process. Document the risk acceptance, the compensating controls, and the remediation timeline.

High and critical findings without compensating controls are the most common cause of non-conformities. Get a retest letter before the audit window.

Week 1: lock scope with security and engineering. Week 2: testing window. Week 3: triage and quick wins. Week 4: retest, sign-off and evidence packaging.

StartSecure delivers ISO 27001-ready reports including the evidence pack auditors expect, plus a free retest after fixes.