$ pentest --compliance=iso27001
ISO 27001:2022 Annex A.8.8 (Management of technical vulnerabilities) is the canonical place where pen-test evidence sits. Certification bodies expect to see a recent pen-test report.
An ISO 27001 pen test for a mid-market organisation runs $10,000 to $40,000 in 2026, scoped to the in-scope ISMS systems. Certification-body expectations vary; some accept a vulnerability-scan-plus-internal-test combination, others want a full external pen test.
Last verified June 2026
$ drivers --price
- ISMS scope size
Number of in-scope systems and processes.
- Internal AND external coverage
Most certification bodies expect both layers.
- Application-layer in scope
If apps are in the ISMS, app-layer pen test is expected.
- Certification body preference
Some accept lighter testing if vuln management is strong; ask before scoping.
- Re-certification cycle
Three-year ISO cycle. Pen-test cadence usually annual within it.