ISO/IEC 27001:2022 certifies the existence and effectiveness of an Information Security Management System (ISMS). CyberFortify's offensive testing produces the technical evidence required for Annex A.8.29 (security testing) and A.8.8 (vulnerability management) on every engagement.
// 01 What ISO/IEC 27001:2022 actually is
An international standard specifying requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). Maintained jointly by ISO and IEC.
The 2022 revision restructured Annex A from 14 domains and 114 controls into 4 themes and 93 controls, with 11 new controls reflecting modern attack surface (cloud, threat intelligence, secure coding, security testing in development).
ISO 27001 differs from SOC 2 and NIST CSF in a critical way: it is certifiable by accredited bodies, not assertion-based. A successful certification audit ends with a certificate from an accredited registrar, valid for three years with annual surveillance audits in between. Enterprise procurement teams in Europe, the UK, the Middle East and parts of APAC treat ISO 27001 certification as table-stakes for any vendor handling sensitive data.
// 02 Annex A - the four themes
Organizational
Policies, roles, threat intelligence, supplier relationships, incident management. The cross-cutting governance layer of the standard.
People
Screening, terms of employment, awareness training, disciplinary process, post-employment responsibilities.
Physical
Site security perimeters, cabling, secure areas, equipment maintenance, working in secure areas.
Technological
The technical control family. Includes A.8.8 vulnerability management, A.8.28 secure coding, A.8.29 security testing in development - all directly satisfied by CyberFortify pen testing evidence.
// 03 How CyberFortify pen testing satisfies Annex A
Three Annex A controls are directly satisfied by penetration testing evidence on every CyberFortify engagement.
Management of technical vulnerabilities
"Information about technical vulnerabilities of information systems in use shall be obtained, the organization's exposure to such vulnerabilities evaluated and appropriate measures taken." CyberFortify's technical findings report and remediation playbook are direct evidence.
Direct evidenceSecure coding
"Secure coding principles shall be applied to software development." Pen testing produces feedback on the actual security posture of code in production - evidence the secure coding programme is functioning.
Effectiveness evidenceSecurity testing in development and acceptance
"Security testing processes shall be defined and implemented in the development life cycle." This is the headline pen testing requirement - satisfied by every CyberFortify web application pen test, API pen test and mobile pen test.
Direct evidenceMonitoring activities
"Networks, systems and applications shall be monitored for anomalous behaviour." Red team and purple-team engagements directly test the effectiveness of monitoring.
Detection evidenceThreat intelligence
"Information relating to information security threats shall be collected and analysed to produce threat intelligence." Pen testing reports inform organisational threat intelligence with first-party data.
Supporting evidence// 04 The three-year certification cycle
An ISO 27001 certification follows a predictable lifecycle. CyberFortify's compliance consulting service supports each stage with the right offensive testing cadence.
Stage 1 audit (Document review)
The auditor reviews the ISMS documentation: scope statement, policies, Statement of Applicability, risk assessment outputs.
Stage 2 audit (Implementation)
On-site or remote evidence review. Pen testing reports are core technical evidence at this stage.
Surveillance audits (Year 1, 2)
Annual reduced-scope audits confirming the ISMS continues to operate. Pen tests are typically refreshed annually.
Recertification (Year 3)
Full re-audit. Equivalent in scope to Stage 2. CyberFortify customers refresh their pen test inventory ahead of recertification.
// 05 Frequently asked questions
Is ISO 27001 mandatory anywhere?
Not regulatory in most jurisdictions, but operationally mandatory: most enterprise procurement teams in Europe, UK, Middle East and parts of APAC require it from any vendor handling sensitive data. Many regulators reference it implicitly (NIS2, DORA, NYDFS).
How often must I pen test for ISO 27001?
The standard does not specify a frequency, but auditors in practice expect at least annual penetration testing of in-scope information systems - with additional ad-hoc testing after major changes. CyberFortify's annual pen test cadence is engineered to align with this expectation.
Can a single CyberFortify engagement produce ISO 27001 + SOC 2 + PCI evidence?
Yes. Our reports include cross-framework mappings on every finding so a single engagement can satisfy multiple audit cycles. This is a flagship value of our integrated compliance consulting practice.