How often should I schedule a penetration test?

It’s commonly said that penetration tests and vulnerability scans should be performed on a regular basis to ensure all vulnerabilities, including newly discovered ones, are found and remediated before they can be exploited by cyber criminals. Many companies wait too long before conducting a penetration test, though, or do so only when it’s required by law and a deadline is fast approaching. Or worse, some only commission a penetration test once the company has already been breached.

How often should our systems be tested?

This is not an easy answer, because there are various factors that need to be considered before a test. These factors include:

  • The likelihood of being attacked – being a high-profile company or a high-value target (when companies hold lots of information that can be commoditised). High-profile companies are often mentioned in the media; a company can enter the limelight over inconsequential events and become the target of attacks.
  • The company’s presence in the press for the wrong reason – e.g. environment, political or human rights – will increase the likelihood of attacks.
  • Compliance requirements.
  • Use of open-source software, more vulnerable to automated attacks.
  • Significant changes to the company infrastructure or network.

Below, you can find some useful information about when to set up a penetration test.

Penetration testing is an essential component of an ISO 27001 ISMS

An ISMS (information security management system) implementation project greatly benefits from penetration testing at three particular points:

  1. As part of the risk assessment process – a penetration test will identify vulnerabilities in any web applications, internal devices, Internet-facing IP addresses and applications and link them to identifiable threats.
  2. As part of the risk treatment – a penetration test ensures that controls work as designed.
  3. As part of the continual improvement process – a penetration test ensures that controls continue to work and that new threats and vulnerabilities are discovered and fixed.

Penetration testing for PCI DSS compliance

Requirement 11 of the PCI DSS states that “system components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment”. The Standard requires that penetration testing should be performed at least annually or whenever there is a significant upgrade or modification of the infrastructure and applications in use.

Penetration testing and the changing environment

Penetration tests should be conducted any time one or more of the below situations occur:

  • Security patches are applied,
  • Significant changes are made to the infrastructure or network,
  • New infrastructure or web applications are added,
  • The office location changes or an office is added to the network.

IT Governance recommends having frequent (typically quarterly) level 1 penetration tests, depending on the organisation’s risk appetite, and at least an annual level 2 penetration test if the organisation is high-profile or high-value. Furthermore, if costs are a factor, it will be more beneficial if application testing is more frequent than infrastructure testing because applications are typically more dynamic and have more vulnerabilities.

To conclude, it’s highly recommended that all organisations, no matter their profile or value, have a penetration test at least annually.

If you want to know more about penetration testing, the different levels of tests and IT Governance’s penetration testing services, visit our website.

Contact us on +44 (0) 845 070 1750 to discuss your penetration testing requirements with our experts.