Simuna InfosecSIMUNA INFOSEC
Compliance

SOC 2 Type II and Penetration Testing: Meeting Trust Service Criteria para empresas lusófonas

SOC 2 doesn't mandate penetration testing, but auditors increasingly expect it. How testing supports your SOC 2 program. Guidance for PT market.

SOC 2 Type II reports evaluate controls over a period (typically 12 months) against Trust Service Criteria. While SOC 2 doesn't explicitly require penetration testing, the Common Criteria (specifically CC7.1 and CC7.2) require organisations to monitor system components for vulnerabilities and test the effectiveness of security controls. Auditors increasingly look for penetration testing as evidence of control effectiveness. Our reports map directly to SOC 2 Trust Service Criteria, providing auditors with documented evidence of security testing across the audit period.