Docy Child

INFRA-2 Penetration Testing

Estimated reading: 2 minutes 548 views

What is this control about?

Penetration testing is an authorized simulated attack on a company’s systems to evaluate the security of the system. This is a good way to reevaluate the vulnerability of your company’s systems. Penetration testing is different from vulnerability scanning since it requires an external third-party to perform the testing.

Is it required to get a Penetration Test before my audit?

It depends on the auditor. In most cases it is best to have the penetration testing and remediation completed before the time of the audit, however in some instances, a statement of work from a penetration tester can be sufficient to start an audit. You will need to discuss this with your auditor before the audit starts.

The importance here is what is done with the results of the testing. Remediations of the found vulnerabilities must be documented and tracked to resolution.

Available tools in the marketplace

 No tools recommendation for this section

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

  • TrustCloud has partnered with penetration testers in the marketplace.

Control implementation

You would need to hire a third-party firm to have a penetration test done at least yearly. The scope of the pen testing exercise remains at the discretion of each organization. There is no specific scope requirements to demonstrate compliance with this control.

Once the testing is performed and results are provided, implement a formal and repeatable process to track and remediate the issues/vulnerabilities identified.

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action.

  • Provide most recent penetration testing results – the executive summary is sufficient
  • Provide remediation evidence of vulnerabilities found

Evidence example

From the suggested action above, an example is provided below.

1.  Provide the most recent penetration testing results.

The executive summary is sufficient.

INFRA 2 screenshot1

2. Provide remediation evidence of vulnerabilities found.

Best presented in a automated ticketing system :

INFRA 2 screenshot2

Join the conversation

Twitter Facebook LinkedIn

❤️  Joyfully crafted by a 100% distributed team.