Your ISO 27001 certificate is only as strong as the evidence behind it. A manual audit provides the objective proof that your digital and physical controls are effective.
ISO 27001:2022 is the global benchmark for Information Security Management Systems (ISMS). To achieve and maintain certification, your organisation must demonstrate a proactive approach to identifying and treating risks across the entire business. A generic vulnerability scan is rarely enough to satisfy a rigorous external auditor; they look for evidence that your Statement of Applicability (SoA) is backed by real-world, adversarial testing.
At Mongoose, we provide the specialist, CREST-accredited testing required to validate your ISMS and satisfy the most demanding certification bodies.
Full-Spectrum Support for Annex A Controls
Our testing is designed to provide direct evidence for both the technological and physical controls within the ISO 27001 framework:
Management of Technical Vulnerabilities (A.8.8):
We provide the periodic review of your digital vulnerabilities, moving beyond automated alerts to show how a human adversary would actually exploit your systems.
Physical Security Monitoring & Entry Controls (A.7.2 & A.7.4):
Delivered by our former UK Special Forces personnel, we conduct realistic physical audits of your sites. We test the reality of your building access controls and the security of your high-value assets, such as server rooms, providing empirical proof of your physical security posture.
Security Testing in Development (A.8.29):
For firms with in-house development, we perform deep-dive testing of new applications and code, ensuring security is baked into your SDLC.
Independent Review (A.5.35):
ISO 27001 requires that your security approach be reviewed independently. As an external, accredited third party, our findings provide the objective verification your auditor requires.
The Mongoose ISO 27001 Methodology
Risk-Led Scoping
ISO 27001 is a risk-based standard. We align our testing scope with your Risk Register and ISMS Scope. We focus on the digital and physical assets that represent the highest risk to your business continuity and data integrity.
Adversarial Validation (Digital & Physical)
Following a structured testing framework, our specialists attempt to bypass your implemented controls. We look for the logic gaps, misconfigurations, and procedural weaknesses that could allow an unauthorised user to access sensitive information or enter restricted physical zones.
Audit-Ready Reporting
Our reports are structured to be used as primary evidence during your Stage 1 or Stage 2 certification audits. We provide:
- A detailed breakdown of vulnerabilities mapped directly to ISO 27001 controls.
- Clear remediation advice to help you close "Non-Conformities."
- An executive summary for your Management Review meetings to demonstrate your commitment to "Continual Improvement" (Clause 10).
Why Mongoose for ISO 27001?
An ISO auditor needs to know that your tester is competent and independent.
As a CREST-accredited firm, Mongoose provides that assurance. Our dual-discipline approach; combining high-level technical skill with elite physical penetration testing, ensures that your ISMS is validated against the full spectrum of modern threats. We don't just find bugs; we help you prove that your entire management system is functioning as intended.
Is physical testing mandatory for ISO 27001?
How often should we perform testing for ISO 27001?
Does a Nessus scan count as a penetration test for ISO 27001?
Ready to see the gaps others are missing?
Don't wait for a real adversary to find the pathway. Contact our team today to discuss a tailored manual assessment for your organisation.
