Technological vulnerabilities

if some bank is implementing 27001 & 22301 VAPT needs to be done mandatorily?
 

Answer:

In accordance with the control of the Annex A of the ISO 27001:2013, A.12.6.1 Management of technical vulnerabilities, you need to manage technical vulnerabilities, but the standard does not establish that you need to perform a complete VAPT (Vulnerability, Assessment, Penetration and Testing), so a scan of technological vulnerabilities and a plan to treat them can be enough, but from my point of view can be a best practice perform a complete VAPT. 
Anyway, keep in mind that the controls of Annex A must be implemented only if after the risk assessment you identify that you need controls to decrease the risks identified (although there are some exceptions because there are a list of mandatory documents).
By the way, this control is not present in ISO 22301, so you do not need to implement this control in ISO 22301, but from my point of view can be also a best practice.
If you are interested in mandatory documents (and non mandatory) of ISO 27001:20 13, you can see this article “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Related to ISO 22301, you can also see this article “Mandatory documents required by ISO 22301” : https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/
Finally, this free webinar can be also interesting for you “ISO 27001: An overview of ISMS implementation process” : https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/