Penetration testing is explicitly required or strongly recommended by many of the compliance frameworks that enterprises operate under. Understanding what each framework expects helps organisations scope testing that satisfies multiple requirements simultaneously.
PCI DSS
The Payment Card Industry Data Security Standard explicitly requires penetration testing under Requirement 11. Testing must cover both internal and external network penetration testing, as well as application-layer testing. PCI DSS specifies that testing should be conducted at least annually and after significant changes. Testing must be performed by qualified, independent testers with organisational independence from the environment being tested.
ISO 27001
ISO 27001 requires regular technical compliance reviews, which typically include penetration testing and vulnerability assessment. Annex A controls address technical vulnerability management and testing of security controls. While ISO 27001 doesn't prescribe specific testing frequencies, the standard's requirement for continuous improvement and risk-based control assessment means that annual penetration testing is standard practice for certified organisations.
SOC 2
SOC 2 (System and Organization Controls 2) addresses security, availability, processing integrity, confidentiality, and privacy. While SOC 2 doesn't explicitly mandate penetration testing in every case, the Common Criteria related to risk assessment and monitoring of controls strongly support it, and most SOC 2 auditors expect evidence of regular penetration testing as part of demonstrating control effectiveness.
Regional Frameworks
Beyond global standards, regional frameworks increasingly require penetration testing. These include MAS TRM (Singapore), APRA CPS 234 (Australia), BNM RMiT (Malaysia), BSP Circular 982 (Philippines), OJK POJK 11/2022 (Indonesia), and Japan's ACDA obligations for critical infrastructure. Each has its own scoping and frequency expectations, which we address in our country-specific guides.
The Compliance-Plus Approach
The most effective approach treats compliance as a floor, not a ceiling. A penetration test scoped purely to satisfy an audit line item โ testing only what's required, covering only the minimum scope โ may satisfy the auditor while leaving significant gaps. Testing that goes beyond the minimum provides genuine security value while satisfying compliance requirements along the way.
How Simuna Infosec Helps
Our reports map findings to the compliance frameworks our clients operate under, so a single engagement can support PCI DSS, ISO 27001, and regional regulatory requirements simultaneously. But we never limit our testing to only what a framework requires โ because attackers don't limit themselves to the audit scope.