Penetration tests are requested by customers, DORA supply-chain partners and certification bodies. A PDF alone is not enough — auditors want scope, findings, CAP and re-test.
What auditors accept
- scope and rules of engagement aligned with ISMS scope;
- findings linked to risks or Annex A controls;
- corrective actions with owner, deadline and verification;
- re-test or accepted residual risk via management review.
Common mistakes
Same generic test yearly with no delta. Critical findings accepted risk without board decision. Pentest outside change and patch process — no ticket follow-up.
Place pentest in your control plan and audit evidence hub.
In 2026 DORA customers and certification bodies ask for pentest scope covering critical services and APIs — not only external perimeter. Document scope alignment with customer or auditor before the test starts.
Critical and high findings must trace to tickets closed or explicit accepted risk in management review. Sample: auditor picks one finding and follows the chain to verification.
Plan re-test or compensating controls when fixes cannot land on time. Residual risk without board decision is a common source of major non-conformities at surveillance.
Pen test as part of the ISMS
Schedule pen tests in the same rhythm as internal audit and risk review — not ad hoc when a customer asks. Record in the control plan which scope must be covered (external, application, API) and how findings are prioritised.
Use CVSS or an internal severity scale consistently: auditors want critical findings resolved within agreed timelines or formally accepted. Ticket screenshots with closure dates beat summary slides.
Discuss pen test results in management review, not only IT meetings. Leadership must explain residual risk — especially when re-test falls outside the audit window.
Keep rules of engagement and scope alignment with customer or auditor. Under DORA and enterprise contracts, desired scope may differ from your standard test; record those differences before testing starts.
Ask pen testers to tag findings with Annex A references where possible — that speeds CAP linking and surveillance. Also keep what was out of scope and why; auditors check whether scope matches risks and contracts.
Note: this article is educational and does not replace legal, privacy or audit advice for your specific situation.