ISO 27001 Reports
Generate auditor-ready ISO 27001 compliance reports mapped to Annex A
Why ISO 27001 Matters
ISO/IEC 27001:2022 is the international standard for information security management systems (ISMS). It is often required for:
- International enterprise sales - The standard most commonly requested by EU, UK, and APAC buyers
- Supply-chain assurance - Vendors in regulated sectors (finance, healthcare, government) are expected to certify
- Global regulatory alignment - Recognized as evidence of due diligence under GDPR, NIS2, DORA, and similar regimes
- Competitive advantage - A certification customers recognize across jurisdictions where SOC 2 is less familiar
Penetration Testing in ISO 27001
ISO 27001:2022 Annex A contains 93 controls across four themes. A pentest produces defensible evidence for the following primary controls:
A.8.8 - Management of Technical Vulnerabilities
Information about technical vulnerabilities of information systems in use shall be obtained, the organization's exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.
A.8.29 - Security Testing in Development and Acceptance
Security testing processes shall be defined and implemented in the development life cycle.
A.5.35 - Independent Review of Information Security
The organization's approach to managing information security and its implementation shall be reviewed independently at planned intervals, or when significant changes occur.
Additional secondary controls are evidenced where findings are directly relevant: A.5.23 (Cloud Services), A.8.2 (Privileged Access Rights), A.8.9 (Configuration Management), and A.8.28 (Secure Coding).
ModernPentest's automated testing, delivered continuously by autonomous AI agents outside your engineering team, satisfies the independence requirement of A.5.35.
Generating an ISO 27001 Report
- Navigate to Reports in the dashboard
- Click Generate Compliance Report
- Select the ISO 27001 framework
- Choose the date range (typically your audit period or the preceding 12 months)
- Select the applications to include (or leave "All Applications" for organization-wide coverage)
- Click Generate
Reports typically generate within 2-3 minutes. You'll receive an email notification when ready.
Understanding Your ISO 27001 Report
Your report is structured into seven sections that mirror the SOC 2 report layout, so operators who run both frameworks work from one mental model. The only section that swaps framework-specific content is the Control Assessment.
Executive Summary
High-level view of your ISO 27001 readiness:
- Compliance Status Badge - Overall PASS, FAIL, or CONDITIONAL_PASS
- Key Metrics Cards - Total pentests, applications tested, and findings count
- Severity Distribution Chart - Critical / High / Medium / Low breakdown
- OWASP Categories Chart - Vulnerability categories mapped to Annex A coverage
- Compliance Statement - Narrative tying findings to your ISMS posture
Testing Methodology
Documents how the testing was performed:
- Security Frameworks - Standards followed (ISO/IEC 27002:2022, NIST SP 800-115, OWASP Testing Guide)
- Security Tools - Tools used (nmap, nuclei, sqlmap, custom AI agents, etc.)
- Coverage Gauges - OWASP Top 10 and OWASP API Security Top 10 coverage
- Testing Phases - Reconnaissance, Scanning, Exploitation, Validation
- Testing Schedule - Applications with their testing frequency
- Severity Classification - Criteria for Critical, High, Medium, Low
- Validation Process - Automated + manual verification, false positive rate
- Limitations - Scope boundaries
Scope Definition
Defines what was tested:
- Testing Period - Start and end dates
- Applications Grid - Name, environment, attack surfaces, pentests performed, vuln counts by severity
- Out of Scope Items - Systems excluded from the pentest (still managed under your ISMS via other controls)
- Scope Statement - Narrative boundary
Security Findings
Detailed findings with Annex A mapping:
- Severity Summary Cards - Counts per severity
- Findings Data Grid - Title, OWASP category, CWE ID, and the Annex A controls the finding is evidence against
- Each row expands to show evidence summary, business impact, proof of concept, and remediation guidance
- Control References - Every finding is crosswalked to one or more Annex A controls (A.8.8 / A.8.28 / A.8.9, etc.)
Remediation Tracking
Your team's progress on fixing findings:
- Key Metrics - Average time to fix and remediation rate
- Status Distribution Chart - Open / In Remediation / Remediated / Fixed / Risk Accepted
- Progress Bar - Multi-colored bar showing remediation progress
- Commentary - Narrative about your remediation commitment
Evidence Package
The audit evidence auditors look for:
- Testing Frequency - Cadence of pentests during the period
- Total Pentests - Number completed during the audit period
- False Positive Rate - Accuracy metric
- API Coverage (if applicable) - Endpoints tested vs. total
- Recent Pentest Activity - Table of recent scans with status, duration, results
- Audit Trail - Complete activity logs retained and available on request
ISO 27001 Readiness Assessment
The framework-specific section of the report.
Readiness Score
Your overall readiness is displayed as a percentage (0-100%) with a status level:
| Status | Meaning |
|---|---|
| Ready | You meet the requirements for ISO 27001 pentest evidence |
| At Risk | Some issues need attention before certification |
| Not Ready | Significant gaps must be addressed |
| Establishing Baseline | Initial testing in progress, insufficient data |
Score Breakdown (100 Points)
Readiness is calculated from the same four components as the SOC 2 report, so they are directly comparable:
| Component | Points | What It Measures |
|---|---|---|
| Critical SLA Score | 35 | Remediation of critical vulnerabilities within SLA timeline |
| High SLA Score | 25 | Remediation of high vulnerabilities within SLA timeline |
| Testing Frequency Score | 30 | Regular, consistent scanning cadence (evidences A.8.29) |
| Scan Coverage Score | 15 | All applications scanned within 90 days (evidences A.8.8) |
Compliance Blockers
Critical issues that would prevent certification are highlighted here. Address them and re-run your pentests.
Annex A Control Coverage Matrix
A table of every pentest-relevant Annex A control showing:
- Control ID and Title (e.g. A.8.8 — Management of Technical Vulnerabilities)
- Theme - Organizational, People, Physical, or Technological
- Status - COVERED, PARTIALLY_COVERED, or NOT_COVERED
- Statement - Plain-language summary of how your testing evidences the control
- Evidence - Bulleted proof points tied to scans or findings during the period
- Primary indicator - Whether the control is a primary (A.8.8 / A.8.29 / A.5.35) or secondary control for pentest evidence
Controls included in the matrix:
| ID | Title | Theme | Primary |
|---|---|---|---|
| A.8.8 | Management of Technical Vulnerabilities | Technological | Yes |
| A.8.29 | Security Testing in Development and Acceptance | Technological | Yes |
| A.5.35 | Independent Review of Information Security | Organizational | Yes |
| A.5.23 | Information Security for Use of Cloud Services | Organizational | No |
| A.8.2 | Privileged Access Rights | Technological | No |
| A.8.9 | Configuration Management | Technological | No |
| A.8.28 | Secure Coding | Technological | No |
Process, governance, and documentation controls (SDLC definition, change management, incident response procedures) are intentionally excluded from the matrix because a pentest finding cannot evidence a documented process. Those controls live in your ISMS policy set, not in this report.
Independence Attestation
A narrative confirming that testing was performed by ModernPentest's autonomous AI agents operating independently of the organization's development and operations teams — the evidence your auditor needs for A.5.35.
Statement of Applicability (SoA) Alignment
Guidance on how to reference this report in your SoA: which controls are attested, which are partially covered, and which need supplementary evidence from outside the pentest.
Reading Your Report
Quick reference for interpreting report data:
Severity Levels
| Severity | Color | Meaning |
|---|---|---|
| Critical | Red | Immediate exploitation risk, requires urgent action |
| High | Orange | Significant risk, address within days |
| Medium | Amber | Moderate risk, address within weeks |
| Low | Lime/Green | Minor risk, address as time permits |
Compliance Status
| Status | Meaning |
|---|---|
| PASS | Pentest evidence supports ISO 27001 certification |
| CONDITIONAL_PASS | Meets requirements with noted exceptions |
| FAIL | Material gaps, action needed before the audit |
Annex A Control Coverage
| Status | Meaning |
|---|---|
| COVERED | Sufficient pentest evidence for this control during the period |
| PARTIALLY_COVERED | Some evidence, but coverage or cadence needs improvement |
| NOT_COVERED | No pentest evidence — satisfy via another control or rerun scans |
Remediation Status
| Status | Meaning |
|---|---|
| Open | Vulnerability identified, not yet addressed |
| In Progress | Actively being remediated |
| Remediated | Fix applied, awaiting verification |
| Fixed | Verified resolved |
| Risk Accepted | Acknowledged and accepted by stakeholder |
Sharing Your Report
Share Link
Click Share in the report header to copy a shareable URL. Send it to your certification body, internal auditors, or the team maintaining your ISMS.
PDF Download
Click Download PDF to generate a professional PDF document suitable for attaching to your SoA or audit package. Available once the report status is "completed."
Auditor FAQ
"Does automated pentesting satisfy A.8.29?"
Yes. ISO 27001:2022 does not mandate manual penetration testing. A.8.29 requires that security testing processes are defined and implemented; continuous automated testing with documented methodology meets that bar and typically exceeds the coverage of annual manual tests.
"How do you evidence A.5.35 (independent review)?"
ModernPentest's AI agents operate outside your organization's control boundary. Every report includes an Independence Attestation section that your auditor can attach directly to the control evidence. For additional assurance, many customers also engage an annual manual assessment — the two are complementary.
"Do you cover all 93 Annex A controls?"
No, and intentionally. The report only attests to controls where a pentest can produce defensible evidence (7 controls). Process controls (SDLC, change management, incident response) require documented evidence your ISMS platform maintains — platforms like Vanta, Drata, or Secureframe fill that role. ModernPentest is the pentest evidence layer underneath.
"How does this compare to SOC 2?"
The readiness score, testing methodology, findings, remediation tracking, and evidence package are identical. Only the Control Assessment section differs:
- SOC 2: Trust Services Criteria CC4.1 (Monitoring Activities) and CC7.1 (Vulnerability Management)
- ISO 27001: Annex A control matrix (A.8.8, A.8.29, A.5.35 + secondary controls)
Organizations pursuing both certifications generate one report per framework from the same underlying scan data.
"What vulnerabilities do you test for?"
Full OWASP Top 10 (2021) and OWASP API Top 10 (2023), plus:
- Platform-specific checks (Supabase, Firebase, Vercel, Convex)
- Business logic flaws
- Authentication and authorization flaws
- Configuration and hardening issues
Best Practices for ISO 27001 Audits
- Schedule tests to cover the full audit period - Weekly or monthly cadence is well-suited to A.8.29 evidence
- Attach reports to your SoA - Reference the control matrix directly in your Statement of Applicability
- Address findings before recertification - Auditors weigh remediation timelines heavily under A.8.8
- Document any risk acceptances - Explicit risk acceptance records are required under A.5.4 even when controls are implemented
- Run reports 30 days before the audit - Gives time to address new findings and regenerate evidence
Auditor Support
Need help mapping ModernPentest evidence into your ISMS?
- Report Review - We can walk your auditor through the methodology and control mapping
- Custom Mapping - Adjust the control matrix for organization-specific SoA decisions
- Evidence Packages - Additional documentation on request (methodology, independence attestation, scan logs)
Contact support@modernpentest.com for assistance.
Next Steps
- Generate a SOC 2 report in parallel if you're pursuing dual certification
- Set up continuous monitoring to maintain A.8.8 and A.8.29 evidence between audits
- Configure integrations to plug findings into your remediation workflow
- Learn about our testing methodology
Last updated: April 28, 2026