We have a customer that requires that a quarterly Penetration test.
We believe this requirement is related to Operation of information technology in the dropdown.
So far so good, however we believe it also is related to ISO27001 control 18.2.3 Technical compliance review, however there is no corresponding option in the dropdown to choose a Compliance type of category for this requirement.
Is this an omission? Or, to what dropdown item should we map this requirement so that it shows up in the appropriate area of the SoA?