Penetration Testing for Compliance
Over the past few years there’s been an explosion in demand for penetration testing services. What was once seen a service only needed by larger enterprises is now more affordable than ever and used by SMEs and startups. This increase in adoption is partly down to pen testing being an all-round useful cyber control, but it’s also driven by compliance.
Many compliance standards recommend or require penetration testing, and pen testing is an essentials part of PCI DSS, ISO 27001, Cyber Essentials, SOC 2 and FTC to name but a few. Some are less explicit, not calling out penetration tests by name, but word their requirements so that they can only really be met with a pen test.
Businesses can use a pen test to meet compliance requirements in three ways:
- 1Pen tests can help your organisation identify and address security vulnerabilities that could otherwise put them out of compliance.
- 2Pen testing can demonstrate to auditors that your business is taking steps to protect its data and systems.
- 3The formal, structured nature of pen testing helps you document your security efforts and compliance to associated controls.
But first - what is penetration testing?
Before we look at the top compliance standards that need penetration testing, let’s quickly cover what it is. A penetration test is a simulated, ethical cyber attack that aims to uncover and identify security vulnerabilities in your network, systems and applications. Occasionally there’s some confusion about the difference between penetration testing and vulnerability scanning, so I made this quick video to demystify the two terms:
Tips on penetration testing for compliance
When the driver for a penetration test comes from a compliance need, there are a few things businesses need to bear in mind:
- 1The scope of the pen test should be aligned with the compliance requirement driving it. Otherwise, you could find your pen test doesn’t cover things that the compliance standard is expecting, drastically reducing the pen test’s value – not to mention jeopardising your compliance.
- 2The pen test testing should only ever be conducted by a qualified penetration testing company. For example, Bulletproof is CREST certified and our pen testers hold individual security certifications. Do your due diligence on the company to make sure they’re a reputable pen test provider.
- 3The results of pen test testing should be documented and reviewed by relevant teams within your business. Your technical teams will want to look at the details of the vulnerabilities, sure, but management will want executive summaries of the findings.
- 4It’s my experience that compliance efforts are often done in a rush. It’s not ideal and it’s not recommended, but as is often the case in day-to-day business, it’s just how things pan out. This makes things like including remediation advice with pen test findings extra valuable, as they can help speed up the time it takes to fix things. And your compliance standard is obviously going to want the vulnerabilities fixed before you get the stamp.
Find your vulnerabilities with a Bulletproof penetration test
Uncover & prioritise your security weaknesses with a pen test. Remediation advice is included with each finding to help speed up your remediation efforts.Learn more
The Payment Card Industry Data Security Standard (PCI DSS) is a set of stringent security requirements for businesses that store, process, or transmit credit card data. If your business handles credit card data, PCI DSS compliance is not optional, it’s a hard requirement. PCI DSS Penetration testing is mandated by Requirement 11.3 of the PCI DSS standard.
PCI DSS penetration testing should focus on the following areas
- Perimeter security, such as firewalls, routers, and intrusion detection systems
- Web applications and payment processing systems
- Payment card data storage, such as databases and file systems
- Penetration testing must be conducted at least annually, and on significant changes to infrastructure
- For PCI DSS Service Providers, network segmentation must be tested twice a year
Types of tests needed for PCI DSS penetration testing
- External authenticated application pen testing
- External unauthenticated infrastructure pen testing
- Internal unauthenticated or authenticated infrastructure testing
- Network segmentation pen testing
ISO 27001 is an international standard for information security management. It provides a framework for businesses to identify, assess, and manage your information security risks. Penetration testing is required according to section A.12.6.1 – management of technical vulnerabilities. In fact, section 13 of Annex A is devoted entirely to penetration testing. Other clauses that require pen testing are 6.1.4 “assess the risks to information security” and 8.2.4 “implement technical measures to mitigate risks to information”. If you’re going to do these in any meaningful way, you need a penetration test.
ISO 27001 penetration testing should focus on the following areas
- Access control, such as user authentication and authorisation
- Data encryption, such as the encryption of sensitive data at rest and in transit
- The testing should be conducted appropriate to the risks that ISO 27001 has identified, meaning you might need a mix of black box testing, white box testing, and grey box testing
- The results of the testing should be documented and reviewed by your management team
Types of tests needed for ISO 27001 penetration testing
- External unauthenticated & authenticated application testing
- External unauthenticated & authenticated infrastructure testing
- Internal unauthenticated & authenticated infrastructure testing
- Configuration reviews
Cyber Essentials is a UK Government-backed security standard that sets a great foundational level of cyber security. It covers 5 areas of security and is widely accepted as the universal ‘minimum requirement’ for every company, regardless of size (it’s also required for Government and public sector contracts). The type of security assessment you need depends on the scope of your certification and if you’re getting Cyber Essentials or Cyber Essentials Plus.
Types of tests needed for Cyber Essentials penetration testing
- Unauthenticated vulnerability assessment
- Internal authenticated vulnerability assessment
- Build and configuration reviews of certain devices, such as laptops
SOC 2 is a US framework from the AICPA that requires certain businesses to meet security and privacy standards. There are many criteria that organisations must meet in order to obtain SOC 2 certification, the core of which are the Trust Services Criteria. Penetration testing is needed to meet various compliance criteria, including CC1.4 Auditing Controls and CC4.0 Monitoring of controls.
SOC 2 is a complex standard, so we recommend a consultative approach to SOC 2 penetration testing. Find a provider who’s willing to roll their sleeves up and take the time to understand your unique SOC 2 penetration testing requirements, not just sell you a generic pen test. As our friendly SOC 2 consultants will attest, getting the right help at the right time can really speed up your SOC 2 compliance.
The General Data Protection Regulation (GDPR) is EU and UK regulation that protects the privacy of individuals' personal data. GDPR penetration testing is not specifically required by name, but if you’re serious about GDPR compliance and not just box ticking, a pen test is the way to go. It’s also a good way to demonstrate various parts of your compliance activities. And in the world of GDPR, if you can’t demonstrate something, you may as well not be doing it (...don’t tell the Data Protection Officers I said that). Article 32’s “appropriate technical measures” cover all sorts of technical demands for keeping personal data secure when stored electronically.
GDPR penetration testing should focus on the following areas:
- Data collection, storage and processing
- The testing should be conducted using a variety of methods, as determined by that nature of your interaction with personal data
Types of tests needed for GDPR penetration test
- This one depends entirely on what your business does and how it handles personal data. If you’re struggling with GDPR – and it’s not always easy – I should point out that we have friendly GDPR experts on hand to help.
The Federal Trade Commission (FTC) is a US Government agency that enforces consumer protection laws. Penetration testing is needed for compliance with the Gramm-Leach-Bliley Act (GLBA) and the agency’s own FTC Safeguards Rule. The GLBA is a law that requires financial institutions to protect the privacy of their customers' personal financial information. The FTC Safeguards Rule was updated in 2022 to reflect the evolving treat landscape – which is another sign that penetration testing is essential.
Similarly to PCI DSS, the FTC says that financial institutions must conduct penetration testing at least annually and after any significant changes to their systems. The testing should be conducted by a qualified penetration testing firm – so again, look out for a CREST certified pen test provider.
Concluding compliance penetration testing
“Whatever your compliance standard, if it intersects with security, it’s going to be quicker and easier to reach compliance if you get a penetration test.”
As we’ve seen, penetration testing is important for compliance with many industry standards. Though there are myriad more compliance standards I haven’t talked about (such as IT Health Check (ITHC) and HIPAA), if it intersects even slightly with security then bottom-line is a pen test is a really good idea. It’ll speed up your compliance efforts and make you more secure. Win-win.
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.