Skip to main content

Guide to Penetration Testing for Compliance and Audits

Author: Alexandre Côté, Vumetric Cybersecurity

Penetration testing, also known as ethical hacking or pentesting, plays an important role in the compliance process of various standards, including SOC 2, PCI DSS, and ISO 27001. According to the National Institute of Standards and Technology (NIST), penetration testing can be defined as “a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries.” In terms of compliance, penetration testing provides independent validation of a company’s cybersecurity and presents evidence that the vulnerabilities, which previously exposed the organization to attackers, have been successfully fixed.  

With a primary focus on security, the standards presented in this article were designed to hold organizations accountable regarding the management of their cybersecurity risks. They require that companies perform due diligence on their IT systems security and often serve as a condition for partnership in many industries. For this reason, each of these regulatory frameworks contains specific guidelines concerning penetration testing.  

Our friends and penetration testing experts at Vumetric Cybersecurity, share their guidance on what is actually needed to meet the pentesting requirements of the most common security standards:  

Penetration Testing for SOC 2 Compliance

SOC 2 was founded by the American Institute of CPAs (AICPA) to protect the customer data of organizations and their providers. This standard is among the most solicited in commercial contracts, especially for SaaS providers who sell their solutions to large clients. SOC 2 has two specific requirements that mention penetration testing and vulnerability management. While they are subject to the auditor’s interpretation, penetration tests are generally considered as the most common and cost-effective manner to address them and to achieve compliance. 

What are the SOC 2 penetration testing requirements? 

CC4.1 – Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certifications made against established specifications (for example, ISO certifications), and internal audit assessments. 

CC7.1 – The entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. 

“Penetration testing […] will not only help you
secure commercial partnerships that require
compliance to SOC 2, but it
will also go a long way to protect
your company.” 
 

The SOC 2 penetration testing requirements are not as explicit as other standards and could be interpreted in various ways. With that being said, two compliance requirements directly mention the use of penetration testing or similar techniques in order to identify vulnerabilities in the company’s systems—which explains why most auditors require a penetration test for SOC 2 compliance. They are widely used to achieve SOC 2 compliance for the simple fact that they allow organizations to meet these two requirements with certainty and in the most effective way possible. 

Penetration Testing for PCI Compliance 

PCI DSS was initially created by Visa, Mastercard, American Express, and others in a collaborative effort to prevent credit card fraud. When it comes to PCI DSS compliance, penetration testing is paramount. For this reason, penetration testing was woven into the very fabric of the standard, as it is the most reliable way to assess whether card processing systems are properly secured or not.

Penetration testing is so central for companies to reach PCI DSS compliance that the Security Standards Council itself provides a very detailed manual to help organizations with the PCI DSS pentesting process. It makes a clear distinction between penetration testing and vulnerability assessment as well as the components that must be targeted, such as internal networks, external networks, and applications. Of all the regulatory standards, PCI-DSS has the strictest, most detailed guidelines regarding pentesting.  

“To remain PCI DSS compliant, organizations must
implement a penetration testing program
encompassing at least an annual penetration test
for both applications and infrastructure.” 

What Are the PCI DSS Penetration Testing Requirements?

6.1 Identify security vulnerabilities in your internal and external applications by using reputable outside sources for security vulnerability information and assign a risk ranking (e.g., ‘high,’ ‘medium,’ or ‘low’) to each vulnerability.

6.2 Ensure that all software and system components are protected from known vulnerabilities by installing any applicable security patches. You must install the patches within the first month following their release.

6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks.

11.3.1 Conduct external penetration tests at least once a year and after any significant changes or upgrades to the infrastructure/application (for example, upgrading the system, adding a subnet or webserver to the environment, etc.).

11.3.2 Conduct internal penetration tests at least once a year and after any change or upgrade significant infrastructure or the application (for example, upgrade of the operating system or adding a subnet or web server in the environment).

11.3.3 Vulnerabilities found during the penetration tests must be corrected and additional testing performed until the vulnerabilities have been corrected.

11.3.4 If segmentation is used to isolate the CDE from other networks, this requirement mandates a penetration test at less once a year and following modification of the methods/controls of segmentation to verify that the segmentation methods are operational and effective.

In other words, to maintain PCI DSS compliance, organizations must implement a thorough penetration testing program that encompasses at least an annual penetration test for both applications and infrastructure as well as a vulnerability management program to ensure that identified vulnerabilities are fixed properly. Furthermore, any systems involved in credit card processing must be tested to identify every possible way hackers could compromise payment systems—whether it’s a web application and the external network on which it relies, API integrations or even internal networks on which the credit cards transits. 

Penetration Testing for ISO 27001 Compliance

The ISO 27001 standard details a very specific course of action for organizations to secure their assets, encompassing a grand total of 114 controls to implement. Along with SOC 2, it is one of the most requested standards in a business partnership context.

As part of the risk management process in ISO 27001, penetration tests validate that the implemented security controls work as designed. Furthermore, as you renew your ISO 27001 compliance, your organizations will be able to stay on top of the latest threats and vulnerabilities that have evolved since the last time you became compliant.

What Are the ISO 27001 Penetration Testing Requirements?

A.12.6.1 – Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.

Although it can be argued that others assessment techniques can be used to satisfy the ISO 27001 requirements, penetration testing leaves no wiggle room and provides appropriate measures to address the identified risks, ensuring that the requirement is fully met. Other approaches, such as vulnerability assessment, only satisfies the A.12.6.1 requirement partially, as it is solely used to acquire information about the technical vulnerabilities. It does not provide the necessary measures to address the associated risks, making the compliance process less efficient and straightforward.

Finally, penetration tests, unlike other similar techniques, will allow you to stay on top of the latest attack methods and get a reliable perspective on your cybersecurity risks. With that in mind, you will not only become compliant but also make the whole process worthwhile, as you will have properly secured your systems from attackers. 

Penetration Testing for GDPR Compliance

The GDPR framework (General Data Protection Regulation) is a set of legal guidelines put together by the European Union (EU) to protect their citizens’ data from unauthorized use and to give them full control over their privacy. Penetration testing is directly involved in the GDPR compliance process, as it allows organizations serving EU citizens to verify the security of their data processing systems, ensuring that they are compliant with the GDPR requirements.

By performing a penetration test of EU citizen’s data processing systems, organizations will identify ways in which their consumers’ data could be compromised and will receive practical solutions to address them proactively, allowing them to fully meet the GDPR requirements.

What Are the GDPR Penetration Testing Requirements?

Article 32 – Implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

To conclude, while the GDPR requirement pertaining to penetration testing represents only a very small portion of the standard, it allows organizations to not only become GDPR compliant, but also to prevent potential cybersecurity incidents and ultimately avoid large fines that can reach up to 20 million euros if a breach occurs.

Moreover, according to the Information Commissioner’s Office, the regulator that enforces GDPR in the UK, organizations must “Run regular vulnerability scans and penetration tests to scan your systems for known vulnerabilities—make sure you address any vulnerabilities identified” in order to comply with GDPR.

To Wrap Things Up

Penetration testing plays an essential role in meeting the requirements of various compliance standards, as it is one of the most efficient and straightforward type of cybersecurity assessments an organization can use to validate their cyber risks and mitigate them.

Additionally, the recommendations it provides will help secure mission-critical assets and, in turn, prevent financial losses and subsequent fines for non-compliance. Ultimately, penetration testing serves multiple roles in a company’s risk assessment strategy and its return on investment is important to consider, as it will not only help you secure commercial partnerships that require compliance to a specific framework, but it will also go a long way to protect your company.

About Vumetric

Vumetric is an ISO9001-certified global provider of penetration testing services. With more than 25 years of experience fully specialized in penetration testing, Vumetric ranks among the most trusted providers in the industry. Their clients include startups, mid-size and large businesses in various industries, such as technology, manufacturing, telecom, energy, finance, insurance, etc. https://www.vumetric.com