What the standard actually says
ISO 27001's requirements are risk-driven, not test-prescriptive. Control A.8.8 (management of technical vulnerabilities) requires obtaining information about technical vulnerabilities in a timely fashion, evaluating exposure, and taking appropriate measures. A.8.29 requires security testing in development and acceptance. A.8.16 requires monitoring for anomalous activity. None of these names penetration testing; all of them require you to choose and justify mechanisms that achieve the outcome.
How that plays out in real audits
An auditor reviews your SoA and risk assessment, then asks how you satisfy A.8.8 in practice. Acceptable answers vary with your risk profile: automated dependency and infrastructure scanning with triage SLAs, cloud provider posture tooling, bug bounty programs, code review gates, and penetration tests. What fails is a vulnerability management control marked implemented with no operating evidence: no scan results, no triage records, no fixed-versus-open trend. For an internet-facing SaaS handling customer data, an auditor will probe hard if no independent technical testing of any kind exists, because your own risk assessment almost certainly identified risks that demand it.
Making testing serve the ISMS (instead of decorating it)
- Scope tests from your risk assessment: test what your own analysis says is exposed and valuable, not just what a vendor's standard package covers.
- Route findings through your corrective process: pen test findings that sit in a PDF are audit findings waiting to happen; findings tracked, prioritized, fixed, and verified are the strongest evidence your ISMS actually works.
- Retest and record: closure evidence matters more to an auditor than the original report's thickness.
- Frequency by risk: annual is the common baseline; after major architectural change is the part organizations forget and auditors remember.
The honest summary
You can be ISO 27001 certified without a penetration test if your risk profile genuinely supports other mechanisms. Most software and data businesses cannot make that case credibly, and should not want to: the test is cheaper than the incident, and the certificate plus a clean recent pen test is the strongest one-two answer in any vendor security review.