Does SOC 2 Require a Penetration Test?

There are many conflicting reports from audit firms if SOC 2 requires organizations to complete a penetration test.  SOC 2 does not explicitly require a penetration test. However, we strongly suggest that you regularly conduct penetration testing; at least once annually, and after any significant network or application changes, or new product releases.

Three reasons you should get a penetration test:

1) CC4.1 “Perform ongoing and/or Separate Evaluations”

Based on the somewhat ambiguous language in CC4.1 requiring “ongoing evolutions of internal control” you do need to perform a periodic assessment of your security controls. SOC 2 isn’t explicit about what this should be, however for most tech companies a penetration test is probably the most defensible way to meet the spirit of this requirement. Also consider that a penetration test is something that most readers of your SOC 2 report (e.g., your clients and prospects) will expect to see.

2) Defensible Approach

The primary reason for having a penetration test is not to satisfy your SOC 2. First, most of your clients are going to expect that you regularly perform penetration testing. They are likely going to ask for evidence of a recent penetration test during due diligence before they sign a deal with you. Second, if your organization ever faces litigation, having performed regular penetration tests, and having evidence of resolving impactful findings, will serve to defend your organization’s commitment to vulnerability management. If you didn’t do a penetration test, it could be interpreted as negligence. Third, if you face other regulatory requirements like PCI, HIPAA, GDPR, and ISO 27001 – a penetration test will similarly help you meet those expectations.

3) Better Security

If you are a product owner or charged with securing your corporate network, you should want a penetration test. A third-party review of your security posture is going to help you mature your security program. After the test, make sure to use the results and the findings to enhance your understanding of your overall cybersecurity posture.

Conclusion

SOC 2 does not explicitly require a penetration test; however, we strongly suggest getting one based on the CC4.1 language around “ongoing evolutions of internal control”. In addition, a penetration test can also help you have a defensible approach for due diligence with potential clients during the vetting stage of a contract, when facing litigation, and when implementing other security frameworks.

Types of Penetration Tests

  • Full-Scope (red team testing)
  • Network penetration test
  • Social engineering (e.g., phishing, smishing, phone call attacks)
  • Web Application Pentest (specific for a web application)
  • Physical Pentest (Breaking into facilities)