What is SOC 2 Penetration Testing and Why You Need One

SOC 2
Written By Ryan Johanson

Is Penetration Testing (pen testing) required for SOC 2?

We get this question a lot. The short answer is, no, it is not required.  But let's talk about the nuances within this topic.

According to CC4.1:COSO Principle 16: The entity selects, develops, and performs ongoing and separate evaluations to ascertain whether the components of internal control are present and functioning. The points of focus specified in the COSO framework require management uses various types of ongoing and separate evaluations, including penetration testing, independent certifications made against established specifications (for example, ISO certifications), and internal audit assessments.

It may look like the requirements for penetration testing are integral to your SOC 2, but if you find them overwhelming, I encourage you to look at it more as a standard example of evaluations your company might consider. After performing your risk assessment and concluding that other ongoing evaluations are sufficient, you might look to exclude a pen test. However, you should undoubtedly include a penetration test if you have a high-risk level in that area.

When working towards a SOC 2 Type I report, the auditor looks at the appropriateness of the design of the controls, not at the operating effectiveness or the policies being followed. Due to this, a penetration test is not required for a SOC 2 Type I report.

For the SOC 2 Type II, if you have penetration testing as one of your controls, then you will absolutely need to have one performed.

Often clients choose to do a shortened period for their initial SOC 2 Type II and most opt to have pen testing annually. In this case, if you do have pen testing as a control, it might not occur during the audit period. That is completely fine. The SOC 2 report would say, "no events to test." That is not an exception or a "ding" on the report, it's merely informing you and your customers know the auditors could not test that control.

Why your company should do pen testing even if it’s not required

Pen testing is a good business practice and industry standard. Many of our client’s customers will ask for their most recent pen test, and their SOC 2 Type II report. So, even if you try to cut costs by not having penetration testing as a control, you will probably still have to have one performed annually.

Types of Penetration Testing

There are three main types of pen testing:

  • External Pen testing is also called “black hat” or “black box” testing. This type of test focuses on attacking points of entry. 

  • Internal pen testing is also called “white hat” or “white box” testing. This test focuses on the movement of the hacker once inside your system. 

  • “gray hat” or “gray box” testing, this type is a mix of internal and external pen testing. This test is a great way to get the best of both tests. 

You can choose manual penetration testing or pen testing as a service, a.k.a automated pen testing. SOC 2 does not specify one over the other. Instead, it is up to management to decide what is most appropriate and what their customers would expect.

What is the difference between manual and automated penetration testing?

Manual pen testing uses human knowledge and expertise. It is an excellent way to detect design flaws, compound flaw risks, and missing business logic that pen testing as a service would miss. 

Pen testing as a Service (automated penetration testing) is a great way to perform more frequent or continuous testing. It uses a modern SaaS platform to enable penetration testing to occur quickly and at a significantly reduced price. It focuses on easily automated tasks like missing security patches, common passwords, or unintended exposure to the internet. They will also be up to date on the current threats facing companies.

When considering what type of penetration test might be appropriate for your situation, it would be best to talk to an expert CPA knowledgeable in the nuances of SOC 2 and SOC I reporting and pen testing.

When should you perform a penetration test?

Generally, pen testing is performed annually. If you are already on a pen testing schedule, you should stay on that schedule. 

If this is your first time, select the best time for you and your company. Your CPA can help you determine this.

If you go with the pen test as a service or automated pen testing model, you will want to identify when the tests are performed and write your policy around that.

Does my penetration test have to come back clean for SOC 2?

NO! SOC 2 is looking for you to follow your processes and policies. When issues are identified, auditors look for the ticket to be created and resolved within the SLA specified in the policy.

Don't look at flagged issues as negative. It is a good thing when problems are identified and resolved because you can be confident your company and customers' data are more secure than when you first started the process. 

SOC 2 penetration testing is up to you! 

While obtaining a "clean" SOC 2 report is not a must-have requirement, it is a good business practice. The more controls and testing performed, the more secure the data will be. It is also a great marketing tool. You can show your customers, stakeholders, and partners that you go above and beyond the minimum requirements to secure your customers' data.

ABOUT JOHANSON GROUP:

Johanson Group, based in Colorado Springs, CO, provides audits and professional services to public and private companies in a variety of industries across the world.

We serve:

  • SaaS Start-ups

  • SaaS Healthcare Organizations

  • Established SaaS Companies

  • Government SaaS Organizations

We provide:

  • SOC 2 assessments

  • HIPPA assessments

  • ISO/IEC 27001 reports

Ryan Johanson
Previous

Essential Knowledge: SOC 2 Compliance Requirements
Next

Your Guide to SOC 2 Attestation Reports