The ISO 27001 standard includes requirements for conducting regular information security risk assessments and managing identified risks. These requirements are relevant because penetration testing is commonly used as a method of identifying and managing information security risks.
In the Annex A of ISO 27001, section A.12.6 (Technical Vulnerability Management) recommends routine evaluations of technical vulnerabilities and their timely remediation. Although penetration testing isn't directly mentioned, it's largely recognized as an effective method for detecting technical vulnerabilities. Hence, organizations adhering to ISO 27001 often incorporate penetration testing in their vulnerability management strategy.
Additionally, Annex A section A.18 (Compliance with Legal and Contractual Requirements) includes controls for ensuring an organization's ISMS compliance with applicable laws, regulations, and contractual obligations. Penetration testing can play a key role in achieving this compliance, particularly when legal or contractual agreements mandate such testing. Ultimately, the decision to conduct penetration testing and its implementation is largely based on an organization's risk assessment and risk treatment plan, core elements of the ISO 27001 standard.