Ask a Question

Pen testing requirement for SOC 2

Is Pen testing a requirement for SOC 2?

compliance icon GRC Q&A
All Replies

Viewing 1 reply thread

  • It depends on your auditors – In general, a pen testing is required for SOC 2, however some audit firms would make an exception for the Type 1and allow companies to skip this requirement or demonstrate an “intention” to have a pen testing done at some point in the near future.
    Regardless, any company doing a SOC 2 would eventually do a type 2 which absolutely requires a pen testing. As such, its advisable to err on the side of caution and get one.
    On top of that, SOC 2 or not, all organizations should conduct pen testing at least every year to see how vulnerable they are. Accordion Content

  • Pen testing is not a requirement for SOC 2 Type I but it is a requirement for SOC 2 Type II

Viewing 1 reply thread

Join the conversation