Do you run penetration tests at least annually against critical applications and infrastructure?
Demonstrate that the organization conducts annual penetration tests against critical assets, documents exploitable vulnerabilities, and remediates high-risk findings in a timely manner.
Description
What this control does
Penetration testing involves simulating real-world attacks against critical applications, systems, and network infrastructure to identify exploitable vulnerabilities before adversaries do. Testing must be conducted at least annually by qualified internal teams or third-party specialists using industry-standard methodologies such as PTES, OWASP, or NIST SP 800-115. The scope must cover externally-facing assets, privileged internal systems, and any applications processing sensitive data, with findings prioritized, remediated, and re-tested to validate closure.
Control objective
What auditing this proves
Demonstrate that the organization conducts annual penetration tests against critical assets, documents exploitable vulnerabilities, and remediates high-risk findings in a timely manner.
Associated risks
Risks this control addresses
- Undetected exploitable vulnerabilities in critical systems allowing unauthorized access or privilege escalation
- Configuration weaknesses or misconfigurations in public-facing infrastructure enabling remote compromise
- Logical flaws or business logic bypasses in applications leading to data exfiltration or fraud
- Insufficient security hardening of critical infrastructure components resulting in lateral movement opportunities
- Inadequate patch coverage allowing exploitation of known CVEs in production environments
- Failure to identify attack paths that combine multiple low-severity vulnerabilities into critical exposures
- Lack of verification that compensating controls effectively mitigate known architectural weaknesses
Testing procedure
How an auditor verifies this control
- Obtain the current penetration testing policy and review requirements for frequency, scope, methodology, and qualifications of testers.
- Request and examine penetration test reports for the most recent twelve-month period covering all critical applications and infrastructure.
- Verify that the test scope included all assets classified as critical per the organization's asset inventory and risk assessment.
- Confirm that testing was performed by qualified personnel holding recognized certifications (e.g., OSCP, GPEN, CREST) or reputable third-party firms.
- Review the methodology documentation to ensure testing followed industry-standard frameworks (PTES, OWASP, OSSTMM, or NIST SP 800-115).
- Select a sample of high and critical severity findings from penetration test reports and trace each to corresponding remediation tickets or change records.
- Verify that remediation evidence (patches, configuration changes, code fixes) was validated through retesting or compensating control implementation.
- Interview the security team to confirm lessons learned from penetration tests are incorporated into vulnerability management and secure development processes.