Many people wonder: does an SSAE 18 SOC 2 assessment require a penetration test? The answer is a resounding “no.”
That being said, there are many good reasons to conduct regular penetration testing. Coordinating that testing with other audit functions promotes economies of scale and may even help with responses to those audits.
(NOTE: If you’re looking for advice on your SOC 2 compliance, our free tool below matches you with a top-rated consultant that fits your needs and budget.)
First: SOC 2 Itself Requires Nothing
A SOC 2 assessment doesn’t require penetration testing. The subject matter of the audit is largely concerned with evaluating the controls that support the five AICPA trust services criteria:
- Security – focused on technical infrastructure safeguards
- Availability – focused on business continuity and disaster recovery
- Processing Integrity – focused on quality assurance and data accuracy functions
- Confidentiality – technical and administrative safeguards designed to protect data from exfiltration or misuse
- Privacy – administrative safeguards with respect to data misuse
When evaluating those five principles, an auditor will verify that controls exist to satisfy those criteria. The auditor will then go further in a SOC 2 Type II audit and evaluate the efficacy of those controls.
When Might SOC 2 Require a Penetration Test?
Some argue that measuring the efficacy of the Confidentiality trust service principle is helped with penetration testing. I agree with that and think that there’s no better way to validate the effectiveness of controls designed to mitigate data exfiltration and misuse than trying to circumvent those controls and steal data.
Depending on the framework your organization employs, a penetration test may be the most effective way to demonstrate control efficacy. While standards like the MITRE ATT&CK framework and the CIS Top 10 don’t require penetration testing, if those are the primary security frameworks used by your organization, it’s very difficult to test the efficacy of controls without penetration testing.
Many organizations may want to skirt penetration testing in favor of vulnerability assessments or vulnerability scans. The idea is that regular vulnerability scans conducted on a periodic basis, like quarterly vulnerability scans, will validate good security practices. Those scans will do so more cost-effectively than a penetration test. (more on penetration testing costs here)
Vulnerability scanning validates system operations by showing that each computer system, web application, cloud asset, or other infrastructure in scope is patched. Scanning provides no other information about the security posture of those assets and certainly doesn’t indicate that sensitive information is protected.
Penetration testing is a kind of risk assessment that’s more comprehensive than a vulnerability scan. It shows an entity’s ability to provide industry-standard protections against cyber criminals via a simulated attack. In addition to testing known vulnerabilities, it also validates internal controls and monitoring procedures. That significantly more comprehensive view can help demonstrate sophistication in meeting trust services principles.
When Won’t SOC 2 Require a Penetration Test?
The benefits of penetration testing also depend on whether your organization is pursuing a SOC 2 Type I or SOC 2 Type II assessment. As highlighted above, a Type II assessment is about testing control efficacy. Penetration tests are designed to test the efficacy of controls that keep intruders out by masquerading as an intruder.
Conversely, a Type I assessment evaluates the existence of the controls and management’s portrayal of the controls.
For a SOC 2 type I assessment, penetration testing is significantly less valuable.
The existence of controls can be validated by running relevant setting reports from covered systems. Penetration testing, while still valuable, is a costlier endeavor both in terms of time and money.
If You Are Pentesting for SOC 2
If you decide to undergo penetration testing, there are a few different choices you can make. Ultimately, something is better than nothing, so I don’t think you’ll be poorly served if you choose one option over another.
You should first identify the systems in scope for the SOC 2 to determine where to focus penetration tests. If your service organization systems are in the cloud, doing on-premises pen testing may be less valuable. The test won’t completely lack value–after all, your on-premises infrastructure can be leveraged for cloud infiltration–but you may miss critical infrastructure evaluation to support your SOC 2 audit.
You’ll also want to evaluate whether you want an internal or external penetration test or even both. The main distinction between each kind of testing is that an external penetration test validates your perimeter controls while an internal penetration test evaluates the ease with which an intruder can navigate your environment and abscond with data or disable your crown jewels. Put differently: how easy is it for someone to get in vs. how easy is it for someone to take stuff out?
If you can, I’d recommend doing both kinds of pen testing. Doing so will comprehensively validate the efficacy of your end-to-end security controls.
If the pen tests go well, they provide strong evidence to support a SOC 2 audit.
In a similar vein, there are also credentialed and non-credentialed pen tests. As with internal or external, credentialed or non-credentialed tests evaluate different controls and threat mitigation. Credentialed penetration testing avoids the need for testers to steal credentials and focuses more on privilege escalation and lateral movement. Non-credentialed, or uncredentialed, penetration testing focus on a threat actor’s ability to gain access to the environment.
Finally, you need to decide whether you want an automated or manual pen test. Manual penetration testing involves a human attempting to infiltrate your environment. Automated uses automation and machine learning to allow a computer to infiltrate your environment. While automated testing is relatively novel, it’s effective. It iterates on vulnerability scanning by taking actions in an environment based on those vulnerabilities.
Who Can Perform Your Pentest for SOC 2?
A SOC 2 audit can only be performed by an AICPA-licensed Certified Public Accountant. To conduct the audit, they will evaluate numerous forms of evidence, all of which are generated by non-AICPA-licensed individuals.
Considering the penetration test as one of those pieces of evidence, then, there’s no restriction on who can conduct the pen test.
You’ll want to hire someone who knows what they’re doing and has a decent experiential portfolio, especially in pentesting as part of SOC 2 compliance.
Hiring an individual or firm that’s reputable and experienced will give the test more evidentiary weight. It’ll also provide more actionable information to remediate identified deficiencies. Experienced testers will identify security risks more accurately and will be able to provide more in-depth recommendations.
Penetration testing is incredibly valuable. It will identify potential vulnerabilities that a threat actor can exploit. That’s significant for providing good data security controls and validating that they’re operating effectively. By having someone friendly exploit vulnerabilities, you can identify and remediate them.
I’ve heard the objection that identifying gaps in a company’s security posture is disconcerting and uncomfortable. By uncovering those new vulnerabilities, a company will have to face the financial realities of addressing those newly discovered vulnerabilities.
Think of it this way: the problems uncovered by penetration testing exist whether you do the testing or not.
Your security posture is your security posture, whether you know what that is or not. If you don’t know about issues, you can’t implement compensating controls and certainly can’t fix them. If you do know, you can plan how to avoid inevitable data breaches.
You can also think of the costs associated with a data breach. Depending on how much customer data is impacted, you could face hundreds of thousands or millions of dollars in damage. Where being the victim of a cyberattack is a foregone conclusion, the choice is between planning for measurable remediation costs or being saddled with substantial surprise costs.
Finally, your clients will appreciate the sophistication that penetration testing brings. It shows a real attunement to information security and a need for serious cybersecurity efforts. This is especially valuable in the business-to-business context, where your business clients will want an independent certification that you have adequate controls in place and they work.