ISO/IEC 27001:2022 has 93 Annex A controls and not one of them says the words "penetration testing". Yet every Stage 2 audit asks for VAPT evidence. Here is exactly which controls auditors map it to, and the four documents you need on file.
The three relevant controls
A.8.8 — Management of technical vulnerabilities
The text requires the organisation to obtain timely information about vulnerabilities, evaluate exposure, and take action. The implementation guidance — and ISO 27002:2022 makes this explicit — names penetration testing among the techniques to identify exposures. Stage 2 auditors universally expect a VAPT report or equivalent as the evidence artifact.
A.8.29 — Security testing in development and acceptance
Requires security testing in the development lifecycle. For SDLC organisations this maps to SAST, DAST, and a pre-release pen test of significant features. The auditor will ask for the test report from the most recent release.
A.5.35 — Independent review of information security
An independent third-party review. A vendor-conducted VAPT — by a firm not on the audited organisation's payroll — is the canonical artifact. This is the control that prevents internal-team-only testing.
The four documents on file
- Pen test policy. One page. Specifies scope, frequency (annual + on significant change), authorisation, and rules of engagement. References A.8.8 and A.8.29 directly.
- Most recent VAPT report. Dated within the audit window (typically 12 months). Engineer-written, with reproducible findings.
- Remediation plan. Each Critical/High finding mapped to a fix, an owner, and a target date.
- Re-test attestation. Confirmation that the Critical/High findings have been fixed and verified. The free re-test we include exists for this artifact.
Common Stage 2 audit findings
- VAPT report exists but is older than 14 months — non-conformity.
- VAPT was scanner-only — observation, often escalates to a non-conformity if no manual testing artifact exists.
- Critical findings have no remediation evidence — non-conformity.
- Pen test scope did not cover the production environment — non-conformity.
- Same vendor for three consecutive years with no rotation — observation only, but recommended in the auditor letter.
Cadence
The minimum auditor expectation is annual. The mature posture is annual + on significant change — where "significant change" means a new module, an architectural change, or a major framework upgrade. For DevOps shops we recommend a continuous component (scanner + SAST in CI) plus the annual deep VAPT.
Scope of the test
Match it to the ISMS scope. If the ISMS covers "the production environment of the customer-facing application", the VAPT should cover the customer-facing application. Internal corporate IT is in scope only if the ISMS includes it. Office Wi-Fi and laptops are rarely needed unless your ISMS explicitly lists them.
Our VAPT report ships with an ISO 27001 mapping appendix that lists each Annex A control addressed and which finding contributes evidence. Stage 2 auditors recognise the format and accept it without back-and-forth.
For the methodology, see our approach. For the broader compliance topic, see VAPT for RBI-regulated entities if you are also in BFSI.
Need a VAPT engagement scoped against this?
Tell us the asset and the compliance overlay. We will come back with a scope, timeline, and fixed-fee quote within 24 hours. Engagements start at USD 500. Free retest included.
Book a 20-minute call →BERRY9 IT SERVICES — VAPT Practice
Hyderabad-based ISO 27001 + 9001 certified offensive-security team. Since 2015 we have run 500+ engagements for 100+ clients across pharma, BFSI, healthcare, VFX, and enterprise SaaS. Every engagement includes a free retest.