Penetration testing for ISO 27001.

ISO 27001 does not demand a penetration test in so many words, but auditors expect one. An independent test is how you show controls like technical vulnerability management are actually working. We run that test to CREST standards and hand your certification body a report and a prioritised fix list they can rely on. We are not your certification body: that is a separate, independent step, and keeping it that way is part of what makes the evidence credible.

What ISO 27001 asks for.

Independent testing is a big part of how you satisfy it. On the testing side, this is what the process expects.

  • Annex A 8.8: managing technical vulnerabilities across your systems
  • Evidence that your controls work in practice, not just on paper
  • Independent assurance an auditor can rely on
  • Retesting that shows findings were actually fixed

Who does what.

A penetration test is one piece of the picture. Here is the clean line between the testing we do and the certification a separate, independent party provides.

All-Secure

We do the testing

  • The independent penetration test, by CREST-certified testers
  • A clear report mapped to the controls your auditor checks
  • Prioritised remediation and a free retest of critical and high findings
Your ISO 27001 certification body

They do the rest

  • The Stage 1 and Stage 2 audits
  • The decision to certify, and the certificate itself

ISO 27001, answered.

Straight answers to what clients ask most.

Does ISO 27001 require a penetration test?

Not by name, but in practice yes. Annex A 8.8 covers technical vulnerability management, and auditors expect independent evidence that it works. A penetration test is the usual way to provide it.

Do you certify us for ISO 27001?

No. We are the penetration testers, not a certification body. We give you the independent test and evidence; a separate, accredited certification body runs the audit and issues the certificate. That separation is deliberate: an auditor trusts a test more when the people who ran it have no stake in the result.

How often do we need to test for ISO 27001?

Most organisations test at least once a year and after any significant change, which fits the continual-improvement expectation in the standard. We will help you agree a cadence that satisfies your auditor.

Need a pen test for ISO 27001?

Tell us where you are in the process and who is asking. We will come back within one working day with a suggested approach and a fixed-price scope, with no sales theatre.

Book a scoping call