Compliance
Penetration testing for the audits that matter.
Most pentests are commissioned to satisfy a specific framework - an upcoming audit, a procurement requirement, a regulator expectation. Pentiq tags findings against the framework you're testing for, with engagements scoped to your control boundary, not a fixed checklist.
What we do (and what we don't)
Pentiq is a testing firm - not a certification body.
We deliver the manual penetration testing, configuration reviews, and technical evidence that support your compliance programme. We don't issue ISO 27001 certificates, sign off SOC 2 attestations, or perform QSA assessments - those activities are deliberately separate, and the firms that do them prefer the independence.
For Cyber Essentials and Cyber Essentials Plus, Pentiq partners with CyberSmart (an IASME-appointed Certification Body) so you can run the pre-assessment pentest and the certification through one engagement - the pentest is delivered by Pentiq; the certificate is issued by CyberSmart. For every other framework, our role is testing and evidence preparation that the right certification body, auditor, or QSA can then review.
Frameworks we test against
Pick the framework driving your audit.
Each page covers what the framework expects from a penetration test, how that maps to Pentiq services, what an engagement looks like, and a tailored scoping wizard.
Cyber Essentials Plus
Manual, tester-led testing aligned to the IASME technical controls - sized for your scope, delivered through our portal, and designed to support your assessor's review.
See Cyber Essentials Plustesting ->
ISO 27001
Manual, tester-led testing mapped to Annex A.8.29 and your Statement of Applicability - evidence designed to support your auditor and feed your ISMS.
See ISO 27001testing ->
SOC 2
Testing scoped to your Trust Services Criteria - evidence designed to support your SOC 2 auditor's review, delivered by a UK-based, in-house team.
See SOC 2testing ->
PCI DSS
Requirement 11.4 testing of your cardholder data environment - application, network, and segmentation, delivered to QSA-acceptable standards.
See PCI DSStesting ->
DORA
ICT risk testing aligned to the Digital Operational Resilience Act - for UK and EU financial entities, third party providers, and the systems they depend on.
See DORAtesting ->
NIS2
Cybersecurity testing aligned to the NIS2 Directive - for essential and important entities across the EU and their UK service providers.
See NIS2testing ->
Multiple frameworks?
One pentest, dual-tagged for every framework you're audited against.
Most clients run ISO 27001 and SOC 2 from the same test programme, or layer DORA / NIS2 obligations on top of an existing baseline. Tell us which audits you answer to and we'll plan the testing once.