020 4539 4508

Penetration Testing for Compliance

Blog posted on 7th May 2024

Introduction: Who needs compliance penetration testing?

Companies widely use and recommend Penetration Testing to bolster their cyber security. Despite its unquestionable value in providing peace of mind that any vulnerabilities have been uncovered and remediated, many compliance and regulatory standards also require pen testing.

Compliance regulations such as PCI DSS, ISO 27001, Cyber Essentials and GDPR bring with them a whole host of benefits:

  • They act as a fantastic guide to implementing strong security measures.
  • Companies must centralise and document their controls to meet auditory requirements, providing complete transparency across the business.
  • Builds credibility, letting clients and stakeholders know that they take information security seriously.
 

Pen testing is a broad term. When undergoing compliance penetration testing, it’s important to break down the task at hand and take a methodical approach to ensure the compliance requirements are met while also providing great value from a security perspective. The specific tests conducted depend on the certification in question.

PCI DSS

PCI DSS (Payment Card Industry Data Security Standard) is a globally recognised information security standard. It reduces payment card fraud by mandating a strong set of security controls for any business handling payment card data, and Section 11.3 requires pen testing. So, the need for secure online banking has risen in recent years, and we certainly don’t see it disappearing soon.

Now, what exactly is PCI DSS Penetration Testing? Well, the PCI SSC posted an official Guidance Document providing a full breakdown. However, here is a quick snapshot of what you can expect:

PCI DSS Compliance Penetration Testing Logo
ISO 27001 Compliance Badge

ISO 27001

ISO 27001 is a regulatory standard for implementing strong Information Security Management Systems (ISMS). To comply, organisations must put in place a system for managing risks related to the security of all data they handle or own.

Due to its stringent set of security controls, ISO 27001 Penetration Testing is quite a broad and comprehensive topic:

  • A.12.6.1 (management of technical vulnerabilities).
  • 6.1.4 (assess the risks related to information security).
  • 8.2.4 (implement technical measures to mitigate risks to information).
  • Section 13 of Annex A is devoted entirely to penetration testing.

As always, the types of testing required will depend on the systems included in scope for the certification. Here are some of the projects you can expect to consider:

Cyber Essentials

Cyber Essentials is a UK government backed scheme that sets out a guideline of security controls. It is widely accepted as the ‘baseline’ certification, helping companies to set a foot on the ladder of strong information security. Although penetration testing is not a requirement of Cyber Essentials, Cyber Essentials Plus does require an audit which includes a few light touch security assessments:

  • Internal and external vulnerability scanning.
  • Build and configuration reviews.
Cyber Essentials Badge

GDPR

GDPR (General Data Protection Regulation) is a UK & EU legal regulation which protects the privacy of individuals’ personal data. Pen testing is not named as a requirement for GDPR compliance, and it may not be strictly necessary depending on the systems that store or process any personal data. However, if you are serious about GDPR and not just box ticking the requirements, then pen testing should be a key part of your data protection strategy.

Organisations looking to pen test in assistance with GDPR compliance should focus testing on areas of the business that collect, store, or manage personal data.

GDPR Compliance Logo

Conclusion & Author:

It is evident across the board of information security standards, that some form of security assessments will benefit compliance, even if it is not a mandated requirement.

The topic of compliance penetration testing is generally subjective to the organisation, as well as the reasons for carrying out the project. For this reason, it is important to work with an experienced pen tester in the early stages of projects, to ensure the right test is performed which helps to both improve compliance, and bolster security at the same time.

Cyber Security Blog Author

Tom Sabine, Account Director

If you would like to discuss this topic further with Tom, have any questions, or would just like to connect in general, you can reach out to him in the following ways:

Mobile: +44 7480 730358
Email: Tom.Sabine@codeshield.co.uk

Have a different question?

You can reach our team with the details below, or fill out the enquiry form and we'll contact you!
+44 20 4539 4508
hello@codeshield.co.uk

Speak to a security expert today:

Cyber security insights & resources:

Why do a pen test

Why do a pen test?

Read More
Cyber Security Penetration Tester

AI in cyber security

Read More
ISO 27001 Compliance Badge

Penetration testing for compliance

Read More
Penetration Testing vs Vulnerability Scanning breakdown

Penetration testing vs vulnerability scanning

Read More
Web Application Security conference

Web application security

Read More
Discussing how to protect against phishing attacks

How to protect against phishing attacks

Read More
Remote Working Conference

Remote working security risks

Read More
Red Team vs Blue Team

Red team vs blue team

Read More
Penetration Testing Tools

Common penetration testing tools

Read More
Security resources

External perimeter assessment (Case Study)

Read More
Pen Test for Tech Teams

Penetration testing for tech teams

Read More
Discussing cyber security threats to law firms

Top Cyber Security Threats to Law Firms

Read More