Connecting compliance with penetration testing
Compliance requirements aside, penetration testing is a critical aspect of any security programme. The continually evolving threat landscape brought about by the ever-increasing complexity of attack techniques underscores the need for organisations to continually monitor and manage vulnerabilities.
In today’s regulated environment, many organisations are looking for better ways to continually assess their compliance posture. Various regulations and standards have multiple components specifically related to system auditing and security, and either indicate or specify that penetration testing is necessary to determine whether identified vulnerabilities pose a genuine risk to an organisation.
What is it?
The PCI DSS (Payment Card Industry Data Security Standard) was set up to help businesses process card payments securely and reduce card fraud. It achieves this through enforcing tight controls surrounding the storage, transmission and processing of cardholder data that businesses handle. The PCI DSS is intended to protect sensitive cardholder data.
Requirement 11.3 of the PCI DSS describes the need to regularly carry out penetration testing to identify unaddressed security issues and scan for rogue wireless networks.
Find out more about PCI DSS complaince
What is it?
An essential component of ISO 27001 compliance (and potentially for achieving certification) is performing a penetration test. With penetration testing, organisations can effectively identify where to make improvements to the information security management system (ISMS). Penetration testing also forms part of an effective continual improvement regime.
ISO 27001 control objective A12.6 (Technical Vulnerability Management) says that “Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.”
Find out more about ISO 27001 compliance
What is it?
The GDPR is the General Data Protection Regulation: a pan-European data protection law. It gives EU data subjects more control over how their personal data is processed and places a range of new obligations on organisations that process and control the processing of personal data.
Article 32 of the Regulation requires organisations to implement technical measures to ensure data security. It outlines specific measures and highlights the need for “[A] process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing”.
Find out more about GDPR copmliance
Offering practical solutions to help you meet your legal, regulatory and contractual requirements
Our expertise in standards such as the PCI DSS, the GDPR and ISO 27001 means we can offer an integrated approach to your testing challenges and develop suitable solutions that will enable you to reduce your risks and ensure compliance with standards, frameworks, legislation and other business requirements.