Pentest ISO 27001:2022 — Controls A.8.8 and A.8.29
Pentest aligned with ISO/IEC 27001:2022 with direct mapping to A.8.8 (Management of technical vulnerabilities) and A.8.29 (Security testing in development and acceptance).
Why now
The real pain
BSI, BV, DNV and TÜV auditors open Annex A and ask: "How do you demonstrate A.8.8 and A.8.29?". A Nessus screenshot answer fails. Manual pentest with exploitation chain, reproducible PoC and retest evidence is the deliverable that passes annual recertification without a finding.
Standard and reference
/attack-surface
ISO 27001:2022
Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.
A.8.8 — Technical vulnerability management
Asset inventory, patch validation, retest, remediation evidence with time window.
A.8.29 — Security testing
Testing in development, homologation and production — with documented acceptance criteria.
A.8.25-28 — Secure SDLC
Code review validation, segregated environments, change control.
A.5.7 — Threat intelligence
CTI feeding the pentest as input (sector-mapped intel).
A.8.16 — Monitoring
Logging and SIEM validation during the exercise, detection opportunities.
A.8.20-23 — Network and cloud
Segregation, flow control, web filtering, hardening, cloud access management.
Auditor-ready evidence
Technical report structured by Annex A control with reverse mapping.
/methodology
Genuinely manual pentest
Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.
01 · Reconnaissance
Target mapping, OSINT, footprint, sector-specific threat modeling.
02 · Discovery
Deep enumeration, complementary scanning, manual exposure identification.
03 · Exploitation
Manual validation with controlled PoC, finding chaining, escalation.
04 · Report
Executive + technical, step-by-step replication, mapped to applicable regulation.
/why-trust
Who has trusted our work
Companies in certification cycles with BSI, BV, DNV and TÜV. Annual recertification accepted without technical findings on A.8.8/A.8.29.
Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.
Douglas Lopes
Founder · CEO · intrus.io
/crivo · integrity program
of pentester candidates fail our Crivo screening
Do you know who's getting access to your environment?
NDAs work in court. They don't work day-to-day. Before first access, every pentester on our team passes background, psychometric profile and integrity testing.
- In-depth criminal, fiscal and professional verification
- Psychometric assessment and risk profile
- Practical integrity testing with controlled scenarios
- Fixed team — non-rotating, no 'stranger every engagement'
/faq
FAQ — ISO 27001:2022
Is pentest mandatory for ISO 27001:2022?
Not literally, but control A.8.8 requires technical vulnerability management and A.8.29 requires security testing. Without serious manual pentest, it is virtually impossible to demonstrate those controls in audit.
Does it work for initial cert and recert?
Yes. For initial certification we deliver report + treatment plan. For annual recertification, retest of findings + new vectors covering last-cycle changes.
Do BSI/BV/DNV auditors accept the report?
Yes. Report template structured by Annex A controls, with reproducible PoC and reverse mapping to requirements. Already accepted in recertifications across multiple clients.
ISO 27701 too?
Yes. ISO 27701 (privacy extension) reuses most of the scope with additional LGPD/GDPR focus. We cover both in the same engagement for dual-certified companies.
/contact
Validate ISO 27001:2022
Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.