Penetration testing is often a requirement under international cybersecurity standards such as ISO 27001 and SOC 2. These standards emphasise the importance of regularly assessing and testing security controls to ensure the confidentiality, integrity, and availability of information assets.
Under ISO 27001, penetration testing is typically included as part of the information security management system (ISMS) controls, specifically in control A.8.8 (2022). This control mandates organisations to periodically assess the security of information systems through activities like vulnerability assessments and penetration testing.
Similarly, SOC 2 requires organisations to conduct penetration testing as part of the Trust Services Criteria (TSC) related to security. Penetration testing helps validate the effectiveness of security controls and demonstrates the organisation’s commitment to safeguarding client data and sensitive information.
While not explicitly mandated in every cybersecurity standard, penetration testing is widely recognised as a best practice for identifying and mitigating security risks, and many organisations choose to include it as part of their compliance efforts regardless of specific regulatory requirements.