INFRA-2 Pen Testing

Estimated reading: 2 minutes 1388 views

What is INFRA-2 Pen Testing Control?

Pen testing, or penetration testing, is an authorized simulated attack on an organization’s systems to evaluate the security of the system. This is a good way to reevaluate the vulnerability of your organization’s systems. Penetration testing is different from vulnerability scanning since it requires an external third party to perform the testing.

Is it required to get a penetration test before my audit?

It depends on the auditor. In most cases, it is best to have the penetration testing and remediation completed before the time of the audit; however, in some instances, a statement of work from a penetration tester can be sufficient to start an audit. You need to discuss this with your auditor before the audit starts.

The important thing here is what is done with the results of the testing. Remediations for the found vulnerabilities must be documented and tracked to resolution.

Available tools in the marketplace

No tool recommendation is made for this section.

Available templates

TrustCloud has a curated list of templates, internally or externally sourced, to help you get started. Click on the link for a downloadable version.

  • TrustCloud has partnered with penetration testers in the marketplace.

Control implementation

To implement this control,

You need to hire a third-party firm to do a penetration test at least once a year. The scope of the pen testing exercise remains at the discretion of each organization. There are no specific scope requirements to demonstrate compliance with this control.

Once the testing is performed and results are provided, implement a formal and repeatable process to track and remediate the issues and vulnerabilities identified.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action.

  1. Provide the most recent penetration testing results; the executive summary is sufficient.
  2. Provide remediation evidence for the vulnerabilities found.

Evidence example

For the suggested action, an example is provided below:

  1. Provide the most recent penetration testing results.
    The following screenshot shows the executive summary (this is sufficient evidence).
    INFRA 2 Pen Testing 01
  2. Provide remediation evidence for the vulnerabilities found.
    The following screenshot shows evidence of vulnerabilities found. (Best presented in an automated ticketing system.)
    INFRA 2 Pen Testing 02

Join the conversation