Framework B.06 · ISO/IEC 27001:2022

ISO/IEC 27001:2022 - Annex A and how penetration testing satisfies it.

ISO/IEC 27001:2022 is the most internationally recognised information security management standard. CyberFortify's penetration testing and compliance consulting services produce the technical evidence ISO 27001 auditors specifically request - A.8.29 (security testing in development), A.8.8 (vulnerability management) and the new 2022-revision Annex A controls.

Standard: ISO/IEC 27001:2022 Annex A: 93 controls Surveillance: Annual audit + 3-year recertification
93
Annex A controls
4
Themes (Org/People/Phys/Tech)
3yr
Certification cycle
11
New 2022 controls
2022 revision: A.5 Organizational · A.6 People · A.7 Physical · A.8 Technological · A.5.7 Threat intelligence · A.5.23 Cloud services · A.8.9 Configuration management · A.8.16 Monitoring · A.8.23 Web filtering · A.8.28 Secure coding · A.8.29 Security testing in development 2022 revision: A.5 Organizational · A.6 People · A.7 Physical · A.8 Technological · A.5.7 Threat intelligence · A.5.23 Cloud services · A.8.9 Configuration management · A.8.16 Monitoring · A.8.23 Web filtering · A.8.28 Secure coding · A.8.29 Security testing in development
// Executive summary

ISO/IEC 27001:2022 certifies the existence and effectiveness of an Information Security Management System (ISMS). CyberFortify's offensive testing produces the technical evidence required for Annex A.8.29 (security testing) and A.8.8 (vulnerability management) on every engagement.

// 01 What ISO/IEC 27001:2022 actually is

// DefinitionISO 27001:2022

An international standard specifying requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). Maintained jointly by ISO and IEC.

The 2022 revision restructured Annex A from 14 domains and 114 controls into 4 themes and 93 controls, with 11 new controls reflecting modern attack surface (cloud, threat intelligence, secure coding, security testing in development).

ISO 27001 differs from SOC 2 and NIST CSF in a critical way: it is certifiable by accredited bodies, not assertion-based. A successful certification audit ends with a certificate from an accredited registrar, valid for three years with annual surveillance audits in between. Enterprise procurement teams in Europe, the UK, the Middle East and parts of APAC treat ISO 27001 certification as table-stakes for any vendor handling sensitive data.

// 02 Annex A - the four themes

A.537 controls

Organizational

Policies, roles, threat intelligence, supplier relationships, incident management. The cross-cutting governance layer of the standard.

A.68 controls

People

Screening, terms of employment, awareness training, disciplinary process, post-employment responsibilities.

A.714 controls

Physical

Site security perimeters, cabling, secure areas, equipment maintenance, working in secure areas.

A.834 controls · pen-test relevant

Technological

The technical control family. Includes A.8.8 vulnerability management, A.8.28 secure coding, A.8.29 security testing in development - all directly satisfied by CyberFortify pen testing evidence.

// 03 How CyberFortify pen testing satisfies Annex A

Three Annex A controls are directly satisfied by penetration testing evidence on every CyberFortify engagement.

A.8.8

Management of technical vulnerabilities

"Information about technical vulnerabilities of information systems in use shall be obtained, the organization's exposure to such vulnerabilities evaluated and appropriate measures taken." CyberFortify's technical findings report and remediation playbook are direct evidence.

Direct evidence
A.8.28

Secure coding

"Secure coding principles shall be applied to software development." Pen testing produces feedback on the actual security posture of code in production - evidence the secure coding programme is functioning.

Effectiveness evidence
A.8.29

Security testing in development and acceptance

"Security testing processes shall be defined and implemented in the development life cycle." This is the headline pen testing requirement - satisfied by every CyberFortify web application pen test, API pen test and mobile pen test.

Direct evidence
A.8.16

Monitoring activities

"Networks, systems and applications shall be monitored for anomalous behaviour." Red team and purple-team engagements directly test the effectiveness of monitoring.

Detection evidence
A.5.7

Threat intelligence

"Information relating to information security threats shall be collected and analysed to produce threat intelligence." Pen testing reports inform organisational threat intelligence with first-party data.

Supporting evidence

// 04 The three-year certification cycle

An ISO 27001 certification follows a predictable lifecycle. CyberFortify's compliance consulting service supports each stage with the right offensive testing cadence.

1

Stage 1 audit (Document review)

The auditor reviews the ISMS documentation: scope statement, policies, Statement of Applicability, risk assessment outputs.

2

Stage 2 audit (Implementation)

On-site or remote evidence review. Pen testing reports are core technical evidence at this stage.

3

Surveillance audits (Year 1, 2)

Annual reduced-scope audits confirming the ISMS continues to operate. Pen tests are typically refreshed annually.

4

Recertification (Year 3)

Full re-audit. Equivalent in scope to Stage 2. CyberFortify customers refresh their pen test inventory ahead of recertification.

// 05 Frequently asked questions

Is ISO 27001 mandatory anywhere?

Not regulatory in most jurisdictions, but operationally mandatory: most enterprise procurement teams in Europe, UK, Middle East and parts of APAC require it from any vendor handling sensitive data. Many regulators reference it implicitly (NIS2, DORA, NYDFS).

How often must I pen test for ISO 27001?

The standard does not specify a frequency, but auditors in practice expect at least annual penetration testing of in-scope information systems - with additional ad-hoc testing after major changes. CyberFortify's annual pen test cadence is engineered to align with this expectation.

Can a single CyberFortify engagement produce ISO 27001 + SOC 2 + PCI evidence?

Yes. Our reports include cross-framework mappings on every finding so a single engagement can satisfy multiple audit cycles. This is a flagship value of our integrated compliance consulting practice.

Ready for an ISO 27001-aligned engagement?

Schedule a 30-minute scoping call. CyberFortify will recommend the right offensive testing service plus compliance consulting support and quote a fixed-price engagement.

Schedule scoping call → Back to CyberFortify home →