Glossary

What Is ISO 27001?

ISO/IEC 27001:2022 is the international standard for information security management systems (ISMS). It defines a risk-based framework for managing information security — people, processes, and technology — with 93 controls in Annex A covering everything from access control to threat intelligence. Penetration testing evidence supports several Annex A controls including A.8.8 (vulnerability management) and A.8.29 (security testing).

Annex A controls relevant to penetration testing

  • A.5.7 — Threat intelligence
  • A.5.30 — ICT readiness for business continuity
  • A.8.8 — Management of technical vulnerabilities (where pentest reports show the auditor what you discovered and fixed)
  • A.8.29 — Security testing in development and acceptance
  • A.5.21 — Managing information security in the ICT supply chain

How certification works

Stage 1 audit reviews your ISMS documentation. Stage 2 audit verifies operational effectiveness through evidence sampling. Once certified, you maintain a 3-year cycle with annual surveillance audits and a full recertification audit at year 3. Penetration testing evidence is reviewed at every stage.

SQUR and ISO 27001

SQUR pentest reports are designed for auditor consumption: every finding includes a control-mapping table (which Annex A controls the finding affects, which the remediation closes), reproducible evidence, and a re-test artefact when fixed. Auditors get the trail they need without your team manually translating engineering output into compliance language.

Frequently asked questions

Is ISO 27001 mandatory?

Not by law in most countries — but it's often a contractual requirement for selling to enterprises, public-sector tenders, and regulated industries. Many DORA and NIS2 implementations explicitly accept ISO 27001 evidence as part of compliance demonstration.

How often do I need to pentest for ISO 27001?

The standard doesn't specify a frequency — it says testing should be commensurate with risk. Most organisations pentest at least annually plus after major changes. For higher-risk entities (financial services, healthcare), quarterly or continuous testing is common.

What's the difference between ISO 27001:2013 and 2022?

The 2022 update consolidated controls (from 114 to 93), added new controls (threat intelligence, secure coding, cloud services), and reorganised the Annex A structure. If you certified to 2013, you have a 3-year transition window to update.

Related terms

DORANIS2Penetration TestingSOC 2GDPR

Try SQUR

60-second free attack-surface scan. No signup, no credit card.

Run a free scan