ISO 27001
ISO 27001 Penetration Testing
Annex A control validation from a 20-year Canadian cybersecurity firm. Reports formatted for your certification auditor.
Sherlock Forensics delivers ISO 27001 penetration testing with findings mapped to Annex A controls and the Statement of Applicability. Testing satisfies Annex A.12.6 (technical vulnerability management) and A.18.2 (independent review). Engagements include external and internal testing, remediation roadmap and attestation letter. Starting at $3,500 CAD across Canada.
The Standard
What ISO 27001 Requires
ISO 27001 is the international standard for information security management systems (ISMS). While the standard does not use the phrase "penetration test," three controls create a clear requirement for independent technical testing. Certification auditors routinely request penetration test reports as primary evidence for these controls.
- Annex A.12.6 - Technical Vulnerability Management
- Requires organizations to obtain timely information about technical vulnerabilities, evaluate exposure and take appropriate measures. A penetration test is the most direct way to identify exploitable vulnerabilities in your environment and demonstrate that you have a process for managing them. Auditors expect to see evidence that vulnerabilities were identified, assessed for risk and remediated.
- Annex A.18.2 - Independent Review of Information Security
- Requires that the organization's approach to managing information security be independently reviewed at planned intervals or when significant changes occur. An external penetration test performed by a qualified third party satisfies this requirement. The review must be independent of the teams responsible for implementing the controls being tested.
- Clause 8 - Operational Planning and Control
- Clause 8 requires organizations to plan, implement and control the processes needed to meet information security requirements. This includes establishing criteria for the processes and implementing control of those processes in accordance with the criteria. Penetration testing provides measurable evidence that security controls are operating as designed and that operational processes are producing the intended security outcomes.
For a broader overview of how penetration testing maps to multiple compliance frameworks, see our compliance penetration testing page.
Scope
What Our ISO 27001 Pentest Covers
Our testing methodology follows PTES and OWASP standards. Every finding is mapped to the relevant Annex A control and cross-referenced against your Statement of Applicability. The following test areas are included based on the systems defined in your ISMS scope.
External Network Testing
Perimeter assessment of all internet-facing systems within your ISMS scope. We enumerate services, identify misconfigurations and attempt exploitation of vulnerabilities in firewalls, VPNs, mail servers and public-facing infrastructure. Findings map to Annex A.13.1 (network security management) and A.12.6.
Internal Network Testing
Simulated insider threat assessment from within your network. We test lateral movement paths, privilege escalation, Active Directory weaknesses and segmentation controls. Findings map to Annex A.9.1 (access control policy), A.9.4 (system and application access control) and A.13.1.
Web Application Testing
OWASP Top 10 assessment of web applications within your ISMS scope. We test authentication, authorization, session management, input validation and business logic. Findings map to Annex A.14.1 (security requirements of information systems) and A.14.2 (security in development and support processes).
API Testing
Assessment of REST and SOAP APIs for authentication bypass, injection, broken object-level authorization and data exposure. APIs are a growing attack surface that many organizations overlook in their ISMS scope. Findings map to Annex A.14.1 and A.13.2 (information transfer).
Social Engineering
Phishing simulations and pretexting exercises that test your human controls. ISO 27001 Annex A.7.2 requires information security awareness and training. Social engineering testing provides measurable evidence of whether your training program is effective and where gaps remain.
Wireless Network Testing
Assessment of wireless infrastructure including rogue access point detection, encryption strength, authentication mechanisms and segmentation. Findings map to Annex A.13.1 (network security management) and A.11.1 (secure areas). Included when wireless networks are within ISMS scope.
For details on our general penetration testing methodology and deliverables, visit our main service page.
Framework Comparison
ISO 27001 vs SOC 2 Penetration Testing
Many organizations pursue both ISO 27001 certification and SOC 2 attestation. The testing methodology is similar but the report format and control mapping differ. The table below outlines the key differences.
| Dimension | ISO 27001 | SOC 2 |
|---|---|---|
| Scope | Systems defined in the ISMS scope and Statement of Applicability | Systems relevant to Trust Services Criteria in the system description |
| Controls tested | Annex A controls (A.12.6, A.18.2, A.13.1, A.14.1) | Trust Services Criteria (CC6.1, CC7.1, CC7.2) |
| Report format | Findings mapped to Annex A controls and Statement of Applicability | Findings mapped to Trust Services Criteria with attestation letter |
| Audit body | ISO certification body (e.g. BSI, SGS, Bureau Veritas) | CPA firm |
| Frequency | Annual minimum; also after significant changes | Annual for Type II; once for Type I |
| Sherlock pricing | From $3,500 CAD | From $5,000 CAD |
If your organization requires SOC 2 attestation, see our dedicated SOC 2 penetration testing page. We can produce reports mapped to both frameworks from a single engagement.
Pricing
ISO 27001 Pentest Pricing
Starting at $3,500 CAD
Our ISO 27001 penetration test includes external and internal network testing with all findings mapped to the relevant Annex A controls. The engagement includes a detailed findings report with CVSS v3.1 scoring, executive summary, remediation roadmap prioritized by risk and a formal attestation letter for your certification auditor.
Annex A Control Mapping
Every finding in the report is mapped to the specific Annex A control it affects. Your auditor can cross-reference findings directly against your Statement of Applicability without additional interpretation. If your auditor requires a specific report format or supplementary documentation, we accommodate those requests at no extra cost.
5-10 Business Days
Standard engagements are completed within 5 to 10 business days from kickoff to final report delivery. We recommend scheduling your pentest at least 4 weeks before your surveillance or certification audit to allow time for remediation of critical findings.
Pricing depends on the number of in-scope systems, network complexity and whether social engineering or wireless testing is required. Order online or contact us for a custom quote. For organizations also pursuing PIPEDA compliance, see our PIPEDA compliance guide.
Frequently Asked Questions
ISO 27001 Penetration Testing FAQs
- Does ISO 27001 require a penetration test?
- ISO 27001 does not explicitly mandate penetration testing but Annex A.12.6 requires technical vulnerability management and Annex A.18.2 requires independent review of information security. Penetration testing is the standard evidence auditors accept to satisfy both controls. Most certification bodies treat a current pentest report as essential evidence during surveillance and recertification audits.
- What is the difference between ISO 27001 and SOC 2 penetration testing?
- ISO 27001 pentests map findings to Annex A controls and the Statement of Applicability. SOC 2 pentests map to Trust Services Criteria. The testing methodology is similar but the report format and control mapping differ significantly. Sherlock Forensics produces reports formatted for either framework and can deliver dual-mapped reports from a single engagement.
- How much does an ISO 27001 pentest cost in Canada?
- An ISO 27001 penetration test at Sherlock Forensics starts at $3,500 CAD. This includes external and internal testing with findings mapped to Annex A controls. Pricing depends on the number of systems in scope and the complexity of the environment. Order online or contact us for a custom quote.
- How often should I do a penetration test for ISO 27001?
- ISO 27001 requires ongoing evaluation of information security controls. Most certification bodies expect annual penetration testing at minimum. Testing should also occur after significant changes to infrastructure, applications or network architecture. If you undergo a major system migration or add new services to your ISMS scope, schedule a pentest before your next surveillance audit.
Get Started
Ready for your ISO 27001 pentest?
From $3,500 CAD. Annex A control mapping included. Reports formatted for your certification auditor with attestation letter.
Order OnlineScope Your ISO 27001 Penetration Test
Tell us about your ISMS scope, certification timeline and auditor requirements. We will provide a fixed-price quote within one business day.
Call 604.229.1994- Phone
- 604.229.1994
- Burnaby Office
- Burnaby, BC, Canada
- Coquitlam Office
- Coquitlam, BC, Canada
- Typical Timeline
- 5-10 business days from kickoff to final report