Pen Testing Requirements

As an information security best-practice, Secureframe highly recommends that organizations perform an annual third-party penetration test of their internal and external environments and web applications, to ensure awareness of any potential vulnerabilities to your system(s) and to allow you the opportunity to remediate and mitigate any findings.

Though performing a pen test is highly recommended, it is not necessarily a hard pass/fail control requirement as it relates to SOC 2. What is required is that organizations implement a comprehensive vulnerability assessment program for their in-scope system(s) and applications(s) to identify vulnerabilities and track their remediation. Each auditor sets their own individual requirements regarding the activities needed to satisfy this control.

While this control can, in some cases, be accomplished through the use of various paid and open-source tools and manual activities; it is generally less costly and resource-intensive to have a pen test performed by a third party, and all auditors will accept a pen test report as evidence. A pen test will also provide a much more in-depth assessment and analysis of any discovered vulnerabilities, and most pen test firms will offer guidance on the steps necessary to remediate any critical or high vulnerabilities discovered.

Secureframe has established partnerships with the following pen test firms:

Your Customer Success Manager can make a warm introduction to any and all partners. Simply reachout at success@secureframe.com so we can understand what you are looking for and which partner might be the best fit. 

We encourage you to evaluate several firms and make a selection based on the best fit for your business goals and budget requirements.

Penetration (pen) test for SOC 2

SOC 2 usually requires that a company conduct vulnerability scanning on a regular basis and take proper steps to address those risks.

A company can meet SOC 2 audit requirements for vulnerability scanning through the following actions:

Perform a third-party penetration (pen) test at least annually from a reputable vendor or firm
Identify and resolve identified critical and high-risk vulnerabilities
The pen test requirement may vary from auditor to auditor, but as a security best practice we'd highly recommend getting a pen test.

Frequently Asked Questions (FAQ)

When should the pen test occur?

  • The timing for your pen test may differ depending on your audit type, SOC 2 Type 1 or SOC 2 Type 2, as well as auditor requirements. We'd recommend selecting an auditor before moving forward with your pen test.
  • SOC 2 Type 1: Pen test can have taken place anytime in the prior 12 months from the report date
  • SOC 2 Type 2: Pen test has to occur during the audit period

Does Secureframe have a recommend pen test partner?

  • Yes, we have partnerships for Pen Testing, Vulnerability Management, Background Checks, Auditors, Scanning, vCISOs, and more. 
  • Connect with success@secureframe.com to chat more about your needs and they will introduce you to the right partner for the job. 

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.