VAPT for ISO 27001:2022 — Annex A.8.8, A.8.29 Coverage

ISO 27001:2022 Annex A.8.8 and A.8.29 control mapping

The 2022 revision of ISO 27001 places vulnerability management and security testing in development as first-class controls under Theme 8 (Technological Controls). Both controls require documented evidence of testing, not just a process statement in your ISMS documentation.

• A.8.8 — Management of technical vulnerabilities: requires timely identification of vulnerabilities in information systems, assessment of exposure, and appropriate action (patch, compensating control, or risk acceptance with documented rationale)
• A.8.29 — Security testing in development: requires security testing of new and changed systems before release — new in 2022, not present as a standalone control in the 2013 edition
• A.8.20 — Network security: perimeter penetration testing provides direct evidence for network boundary control testing
• A.8.22 — Segregation of networks: VAPT validates that network segmentation controls operate as designed and cannot be bypassed
• A.8.25 — Secure development lifecycle: application VAPT supports the SDL testing gate before production deployment

What the certification body expects as VAPT evidence

ISO 27001 certification bodies (BSI, Bureau Veritas, TÜV, NQA, and accredited Indian bodies) consistently ask for the same evidence set at Stage 2 and surveillance audits. Bachao.AI structures the evidence pack to match these expectations:

• Scope document: signed engagement letter defining ISMS boundary, asset categories in scope, methodology (black-box / grey-box / white-box), and testing dates
• Executive summary: risk-rated finding count by severity, mapped to Annex A controls — the document the certification body lead auditor reviews first
• Technical findings report: per-finding detail with CVSS v3.1 score, evidence, reproduction steps, and remediation guidance — each finding linked to the Annex A control it evidences
• ISMS risk register entries: pre-formatted risk entries for each high-severity finding, ready to import into your risk register with likelihood, impact, and treatment decision fields
• Remediation tracking matrix: finding-by-finding status with owner, target date, and closure evidence
• Retest letter: signed attestation confirming high-risk findings closed before audit — the document the certifier uses as A.8.8 treatment evidence

ISO 27001:2022 vs 2013 — what changed for VAPT requirements

Organizations certified under ISO 27001:2013 must migrate to the 2022 standard by October 2025. The migration affects VAPT requirements in two significant ways. First, A.8.29 (security testing in development) is a new control with no direct 2013 predecessor — you need to add evidence of security testing on development changes, not just production infrastructure. Second, A.8.8 (formerly A.12.6.1) carries stronger language around vulnerability identification cadence — 'timely' identification is now expected to be backed by documented scanning frequency, not just an annual exercise. If your ISMS documentation still references 2013 Annex A control numbers, Bachao.AI's report includes a dual-mapping table covering both numbering schemes to ease migration.

How VAPT fits the ISMS audit cycle

ISO 27001 certification follows a structured cycle: Stage 1 (document review), Stage 2 (implementation audit), then annual surveillance audits (Year 1, Year 2), and re-certification in Year 3. VAPT evidence is required at Stage 2 and each surveillance audit. The most common gap at surveillance audits is stale VAPT evidence — a report from 18 months ago with unresolved findings. Bachao.AI recommends:

• Stage 2 certification: full-scope VAPT completed within 6 months of the audit date, with all high-risk findings remediated or risk-accepted with documented rationale
• Surveillance Year 1 + Year 2: annual VAPT showing continuous A.8.8 operation, plus targeted A.8.29 testing records for changes deployed in the period
• Between engagements: quarterly automated scans as continuous monitoring evidence — demonstrates the control operates year-round, not just before audits
• Re-certification Year 3: full-scope VAPT aligned to the re-certification scope, ideally scoped to cover any new systems added to the ISMS boundary since initial certification

Dual-purpose findings for SOC 2 + ISO 27001 + DPDP

For Indian SaaS companies serving US, EU, and Indian buyers, a single VAPT can satisfy three audit requirements simultaneously. Bachao.AI's report includes control mapping columns for SOC 2 Trust Services Criteria (CC7.1, CC8.1), ISO 27001:2022 Annex A controls (A.8.8, A.8.29), and DPDP Act 2023 Schedule I technical safeguards. The same technical findings table, risk-rated and evidenced, lands in three different audit binders without re-testing. This eliminates the cost and coordination overhead of separate VAPT engagements for each framework. See /soc2-iso27001-dpdp-compliance for the full bundled prep approach, and /vapt-for-soc2-compliance for the SOC 2-specific evidence framing.

How to get started

Book a 30-minute scoping call at /contact. We will review your ISMS boundary, certification stage (pre-certification, surveillance, or re-certification), recent infrastructure changes requiring A.8.29 testing, and agree on scope and cadence. The free first scan kicks off immediately after scoping and produces the first ISMS risk register entries. Full evidence pack delivered within 14 days. VAPT methodology is documented at /pentesting-guide for technical stakeholders. Incident response coverage for post-VAPT remediation at /incident-response.