Connecting compliance with penetration testing
Compliance requirements aside, penetration testing is a critical aspect of any security program. The continually evolving threat landscape brought about by the ever-increasing complexity of attack techniques underscores the need for organizations to continually monitor and manage vulnerabilities.
In today’s regulated environment, many organizations are looking for better ways to continually assess their compliance posture. Various regulations and standards have multiple components specifically related to system auditing and security, and either indicate or specify that penetration testing is necessary to determine whether identified vulnerabilities pose a genuine risk to an organization.
PCI DSS
Regulation
What is it?
The PCI DSS was set up to help businesses process card payments securely and reduce card fraud. It achieves this through enforcing tight controls surrounding the storage, transmission, and processing of cardholder data that businesses handle. The PCI DSS is intended to protect sensitive cardholder data.
Requirement
Requirement 11.3 of the PCI DSS describes the need to regularly carry out penetration testing to identify unaddressed security issues and scan for rogue wireless networks.
Find out more
ISO 27001
Regulation
What is it?
An essential component of ISO 27001 compliance (and potentially for achieving certification) is performing a penetration test. With penetration testing, organizations can effectively identify where to make improvements to the information security management system (ISMS). Penetration testing also forms part of an effective continual improvement regime.
Requirement
ISO 27001 control objective A12.6 (Technical Vulnerability Management) says that “Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.”
Find out more
Connecting compliance with regular penetration testing
In today’s regulated environment, many organizations are looking for better ways to continually assess their compliance posture. Various regulations and standards have multiple components specifically related to system auditing and security, and either indicate or specify that penetration testing is necessary to determine whether identified vulnerabilities pose a genuine risk to an organisation.
These include (but are not limited to):
Offering practical solutions to help you meet your legal, regulatory and contractual requirements
Our expertise in standards such as the PCI DSS, the GDPR and ISO 27001 means we can offer an integrated approach to your testing challenges and develop suitable solutions that will enable you to reduce your risks and ensure compliance with standards, frameworks, legislation and other business requirements.