As part of the risk management process in ISO 27001, penetration tests can be used to validate that the implemented security controls work as designed.
Specifically, the standard A.12.6.1 states: Information about technical vulnerabilities “shall be obtained in a timely fashion” and remediated to address the associated risk.
Penetration tests provide the visibility demanded by the standard.
SOC 2 Compliance
SOC 2 has two specific requirements that mention penetration testing and vulnerability management for auditors to review:
1. CC4.1 – Management uses a variety of different types of ongoing and separate evaluations, including penetration testing; independent certifications made against established specifications (for example, ISO certifications); and internal audit assessments.
2. CC7.1 – The entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
While subject to auditor interpretation, penetration tests are generally considered the best and most cost-effective way to help meet these mandates.
Payment Card Industry Data Security Standard (PCI DSS)
Requirement 11 of PCI DSS 3.2.1 specifically mandates the performance of regular penetration testing.
This requirement is applicable to merchants that need to do a formal audit or fill out a SAQ C and SAQ D. It is also applicable to all Service Providers.
Organizations that fall within the scope of PCI DSS must perform internal and external penetration testing at least annually, or after any significant changes to infrastructure.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA does not require a penetration test or a vulnerability scan. However, it does require a risk analysis which, effectively, requires covered entities to test their security controls.
HIPAA Evaluation Standard § 164.308(a)(8) specifically speaks to the safety, privacy, and electronic exchange of medical information.
It’s penetration testing requirements allow technical and non-technical evaluations of security through “white hat” hacking when deemed reasonable and appropriate.
Data Privacy Compliance
The most widely discussed data privacy laws include the EU and UK GDPR (General Data Protection Regulation) and Brazil´s General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD).
Article 32 GDPR states that companies must regularly test, assess, and evaluate the effectiveness of technical and organizational measures that ensure the security of data.
Similarly, Article 47 LGPD requires companies to guarantee the security of personal data.
Penetration testing allows organizations that are subject to such privacy laws to identify pathways that could permit data compromises, so they can be remediated.
Talk to our team!
Want to learn more about our services, and which is right for you and your organization? Book a meeting here!